Information processing system and method

ABSTRACT

An information processing system and method are disclosed in which information processing is performed in a highly efficient manner using an enabling key block (EKB) on the basis of a tree structure including category subtrees. A key tree is produced so as to include a plurality of subtrees that are grouped in accordance with categories and managed by category entities. An EKB is produced so as to include data produced by selecting a path in the key tree and encrypting an upper-level key in the selected path using a lower-level key in the selected path. The resultant EKB is provided to a device. If a change occurs in state of a category tree capable of processing an EKB identified in the EKB type definition list, a notification of the change in state is sent to an entity that uses the EKB thereby making it possible for an EKB requester to perform processing in accordance with a newest EKB.

BACKGROUND OF THE INVENTION

The present invention relates to an information processing system, aninformation processing method, and an information storage medium, andparticularly to a data distribution system and method for providingvarious kinds of data such as content data to an authorized user bymeans of a process including a cryptographic process. More particularly,the present invention relates to an information processing system, aninformation processing method, and an information storage medium, inwhich a key block is produced using a hierarchical-tree key distributiontechnique depending on a device to which content is to be provided, andthe key block is used in encryption of the content and also intransmission of a content key, thereby ensuring that the content, thecontent key, and other data are securely provided.

It is now very popular to distribute various kinds of software data suchas a game program, audio data, and image data (hereinafter, such datawill be referred to as content) via a network such as the Internet orvia a distributable storage medium such as a DVD or a CD. After loadingsuch content data onto a PC (Personal Computer) or a game machine of auser via data transmission, or after loading a storage medium on whichcontent data is stored onto the PC or the game machine, the user canenjoy played-back content. Content stored on a storage medium may bestored into a storage device such as a memory card or a hard diskdisposed in a PC or a recording/playing-back apparatus so that thecontent can be reproduced from the storage device.

An information apparatus such as a video game machine or a PC mayinclude an interface for receiving content via a network or accessing aDVD or a CD, and further include a RAM, a ROM, or the like, used as amemory area for storing control means, a program, and data needed toreproduce content.

Various kinds of contents such as music data, video data, or a programmay be read from a storage medium and played back on an informationapparatus itself such as a game machine or a PC used as a playbackdevice or played back on a display or by a speaker connected to theinformation apparatus. This may be done in response to a command inputby a user directly to the information apparatus or indirectly via inputmeans connected to the information apparatus.

In general, the right of distribution of software contents such as agame program, music data, or video data is held by producers or sellersof the software content. Software content is generally distributed underspecific usage limitations to secure that only authorized users can usesoftware content and that unauthorized copies thereof cannot be made.

One technique of limiting usage to specific users is to encrypt content.More specifically, content such as audio data, video data, or a gameprogram is distributed via the Internet or the like after encrypting thecontent, and a decryption key, which is means for decrypting theencrypted content, is given only to authorized users.

The encrypted data can be converted into its original form (plaintext)by performing a predetermined decryption process upon the encrypteddata. The technique of encrypting and decrypting information using anencryption key and a decryption key is well known in the art.

Various techniques of encrypting and decrypting data using an encryptionkey and a decryption key are known. One of them is a technique known ascommon key cryptography. In the common key cryptography, the same key,called a common key, is used as both an encryption key for encryptingdata and a decryption key for decrypting the encrypted data. The commonkey is given only to authorized users so that unauthorized users who donot have the common key cannot access the data. A specific example ofthe common key cryptography is that based on the DES (Data EncryptionStandard).

An encryption key for encrypting data and a decryption key fordecrypting the encrypted data can be obtained from a password or thelike using a unidirectional function such as a hash function. Herein,the unidirectional function refers to a function whose input is verydifficult to guess from an output thereof. Although anencryption/decryption key can be generated using an output obtained byapplying a unidirectional function to, for example, a passworddetermined by a user, it is substantially impossible to determine, fromthe obtained encryption/decryption key, the password that is originaldata from which the encryption/decryption key is generated.

Another known technique is public key cryptography in which anencryption key used for encryption and a decryption key used fordecryption are generated in accordance with different algorithms. In thepublic key cryptography, a public key, which is allowed to be used byany unspecified user, is issued by a particular user, and a document tobe provided to that particular user is encrypted using the public keyissued by the particular user. The document encrypted using the publickey can only be decrypted using a secret key corresponding to theencryption key used to encrypt that document. The secret key is heldonly by the user who issued the public key, and thus the documentencrypted using the public key can be decrypted only by the user havingthe secret key. A representative example of the public key cryptographyis that based on the RSA (Rivest-Shamir-Adelman) algorithm. Using one ofabove-described cryptography techniques, it is possible to realize asystem in which encrypted contents can be decrypted only by authorizedusers.

In such a content distribution system, encrypted contents are providedto users via a network or via a storage such as a DVD or a CD, andcontent keys used to decrypt the encrypted contents are provided only toauthorized users. To prevent a content key from being copied in anunauthorized manner, it has been proposed to encrypt a content key andprovide the encrypted content key to an authorized user so that only theauthorized user can decrypt the encrypted content key using a decryptionkey held only by the authorized user.

A judgment of whether one is an authorized user or not is generally madeby performing authentication between a user device and a contentprovider who is a sender of content, before transmitting content or acontent key. In a usual authentication process, if the user isdetermined to be authorized, a session key is produced which can be usedonly during the present communication, and data such as content or acontent key is transmitted after encrypting it using the session key.Authentication may be performed using the common key cryptography or thepublic key cryptography. In the case where authentication is performedusing the common key encryptography, a common key for system-wide use isneeded. This results in inconvenience in renewal. On the other hand, inthe case where the public key encryptography is employed, undesirablycomplex calculations using a memory with an undesirably high capacityare required.

SUMMARY OF THE INVENTION

It is an object of the present invention to provide a technique ofsecurely transmitting data only to authorized users without having toperform mutual authentication between a sender and a receiver, by usingan encrypted key block which can be used (decrypted) in a plurality ofcategory trees defined as subtrees in a hierarchical key distributiontree.

More specifically, it is an object of the present invention to providean information processing system, an information processing method, andan information storage medium, in which an enabling key block (EKB)including encrypted key data which can be decrypted by one or moreselected category trees is produced thereby making it possible fordevices belonging to any one of the selected category trees to use theenabling key block (EKB), and an EKB type definition list, indicatingwhich EKB type can be processed or decrypted by which category tree, isused thereby making it possible to perform production and management ofenabling key blocks (EKB's) in a highly efficient manner.

It is another object of the present invention to provide an informationprocessing system, an information processing method, and an informationstorage medium, in which a notification of a change in state of acategory tree capable of processing an EKB identified in an EKB typedefinition list is sent to an entity that uses the EKB thereby making itpossible to use newest EKB type definition information in processing.

According to a first aspect of the present invention, there is providedan information processing system in which a key tree is formed so as toinclude leaves, a root, and nodes existing in paths from the respectiveleaves to the root; a plurality of devices are assigned to respectiveleaves; keys are assigned to the root, the leaves, and the nodes,located in paths from the root to leaves; an enabling key block (EKB) isproduced which includes data produced by selecting a path in the keytree and encrypting an upper-level key in the selected path using alower-level key in the selected path such that the encrypted data can bedecrypted only by the device which can use a node key set correspondingto the selected path; and the resultant enabling key block (EKB) isprovided to the device,

wherein the key tree includes a plurality of subtrees serving ascategory trees that are grouped in accordance with categories andmanaged by category entities; and

the information processing system includes a key distribution center(KDC) that produces and issues an EKB capable of being decrypted incommon in one or more category trees, wherein

the key distribution center (KDC) has an EKB type definition listrepresenting the correspondence between an EKB type identifier and oneor more identification data identifying one or more category trees thatcan process an EKB of an EKB type identified by the EKB type identifier;and

the key distribution center (KDC) sends a notification of a change instate of a category tree capable of processing an EKB identified in theEKB type definition list to at least an entity that uses the EKB capableof being processed in the category tree in which the change in state hasoccurred.

In an embodiment of the information processing system according to thepresent invention, the change in state in a category tree is a change instate arising from revocation (of a device) in the category tree.

In an embodiment of the information processing system according to thepresent invention, the change in state in a category tree is a change instate arising from a change of a key stored in a device belonging to thecategory tree.

In an embodiment of the information processing system according to thepresent invention, the entity, which uses the EKB, includes an entityserving as an EKB requester that issues an EKB production request to thekey distribution center (KDC).

In an embodiment of the information processing system according to thepresent invention, the entity, which uses the EKB, includes an entityserving as a category entity that manages a category tree capable ofprocessing an EKB defined in the EKB type definition list.

In an embodiment of the information processing system according to thepresent invention, the key distribution center (KDC) sends anotification of a change in state to all entities serving as an EKBrequester that issues an EKB production request to the key distributioncenter (KDC) or serving as a category entity that manages a categorytree.

In an embodiment of the information processing system according to thepresent invention, the key distribution center (KDC) receives statechange information indicating occurrence of a change in state of acategory tree from a category entity that manages said category tree,produces a notification of the change in state in accordance with thestate change information received from the category entity, and sendsthe produced notification.

According to a second aspect of the present invention, there is providedan information processing method for use in a system in which a key treeis formed so as to include leaves, a root, and nodes existing in pathsfrom the respective leaves to the root; a plurality of devices areassigned to respective leaves; keys are assigned to the root, theleaves, and the nodes, located in paths from the root to leaves; anenabling key block (EKB) is produced which includes data produced byselecting a path in the key tree and encrypting an upper-level key inthe selected path using a lower-level key in the selected path such thatthe encrypted data can be decrypted only by the device which can use anode key set corresponding to the selected path; and the resultantenabling key block (EKB) is provided to the device,

wherein a key distribution center (KDC), which produces and issues anEKB capable of being decrypted in common in one or more category trees,sends a notification of a change in state of a category tree capable ofprocessing an EKB identified in the EKB type definition list, in whichthe correspondence between an EKB type identifier and one or moreidentification data identifying one or more category trees capable ofprocessing an EKB of an EKB type identified by the EKB type identifieris described, to at least an entity that uses the EKB capable of beingprocessed in the category tree in which the change in state hasoccurred.

In an embodiment of the information processing method according to thepresent invention, the change in state in a category tree is a change instate arising from revocation (of a device) in the category tree.

In an embodiment of the information processing method according to thepresent invention, the change in state in a category tree is a change instate arising from a change of a key stored in a device belonging to thecategory tree.

In an embodiment of the information processing method according to thepresent invention, the entity, which uses the EKB, includes an entityserving as an EKB requester that issues an EKB production request to thekey distribution center (KDC).

In an embodiment of the information processing method according to thepresent invention, the entity, which uses the EKB, includes an entityserving as a category entity that manages a category tree capable ofprocessing an EKB defined in the EKB type definition list.

In an embodiment of the information processing method according to thepresent invention, the key distribution center (KDC) sends anotification of a change in state to all entities serving as an EKBrequester that issues an EKB production request to the key distributioncenter (KDC) or serving as a category entity that manages a categorytree.

In an embodiment of the information processing method according to thepresent invention, the key distribution center (KDC) receives statechange information indicating occurrence of a change in state of acategory tree from a category entity that manages said category tree,produces a notification of the change in state in accordance with thestate change information received from the category entity, and sendsthe produced notification.

According to a third aspect of the present invention, there is provideda program storage medium having a computer program stored therein forcausing a computer system to execute information processing in aninformation processing system in which a key tree is formed so as toinclude leaves, a root, and nodes existing in paths from the respectiveleaves to the root; a plurality of devices are assigned to respectiveleaves; keys are assigned to the root, the leaves, and the nodes,located in paths from the root to leaves; an enabling key block (EKB) isproduced which includes data produced by selecting a path in the keytree and encrypting an upper-level key in the selected path using alower-level key in the selected path such that the encrypted data can bedecrypted only by the device which can use a node key set correspondingto the selected path; and the resultant enabling key block (EKB) isprovided to the device, the computer program comprising the steps of:

receiving state change information indicating occurrence of a change instate of a category tree from a category entity that manages saidcategory tree; and

producing a notification of the change in state in accordance with thestate change information received from the category entity and sendingthe produced notification to at least an entity that uses the EKBcapable of being processed in the category tree in which the change instate has occurred.

In the present invention, by using the encrypted key tree distributiontechnique based on the hierarchical tree structure in which devices areassigned to leaves of an n-ary tree, a content key used as an encryptionkey of content, an authentication key used in authentication, or aprogram code is transmitted together with an enabling key block.

Furthermore, the data size of the enabling key block is reduced byemploying a data format including an encrypted key data part and a tagpart indicating the locations of encrypted keys, thereby making itpossible to perform decryption easily and quickly. That is, data isproduced in an encrypted form that can be decrypted only by anauthorized device whereby the data is securely provided to theauthorized device.

Furthermore, an enabling key block (EKB) is produced so as to includeencrypted key data that can be decrypted in selected one or morecategory trees thereby making it possible for any device belonging toany one of those selected category trees to use the enabling key block(EKB). The EKB is produced and managed in a highly efficient manner byusing the EKB type definition list representing which EKB can beprocessed or decrypted in which category tree.

A program storage medium according to the present invention is a mediumwhich provides a computer program in a computer-readable form to ageneral-purpose computer system executable of various program codes. Themedium is not limited to a particular type, but various types of media,for example, a storage medium such as a CD, FD, or MD or a transmissionmedium such as a network may be employed.

The program storage medium defines a cooperative relationship instructure or function, for realizing a function of a particular computerprogram on a computer system, between the computer program and thestorage medium. That is, by installing a particular computer programonto a computer system via a program storage medium, it becomes possibleto achieve a cooperative operation on the computer system therebyachieving functions similar to those achieved by the other aspects ofthe present invention.

In the present invention, the term “system” is used to describe alogical collection of a plurality of devices, and it is not necessarilyrequired that the plurality of devices are disposed in a single case.

These and other objects and features of the present invention willbecome more apparent from the following detailed description ofembodiments with reference to the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram showing an example of an information processingsystem according to the present invention.

FIG. 2 is a block diagram showing an example of a recording/reproducingapparatus used in the information processing system according to thepresent invention.

FIG. 3 is a tree structure diagram showing various keys and a process ofencrypting data used or performed in the information processing systemaccording to the present invention.

FIG. 4 is a diagram showing an example of an enabling key block (EKB)used to distribute various keys and data in the information processingsystem according to the present invention.

FIG. 5 is a diagram showing an example of a manner of distributing acontent key using an enabling key block (EKB) and an example of adecryption process, in the information processing system according tothe present invention.

FIG. 6 is a diagram showing an example of a format of an enabling keyblock (EKB) used in the information processing system according to thepresent invention.

FIG. 7 is a diagram illustrating tags in an enabling key block (EKB)used in the information processing system according to the presentinvention.

FIG. 8 is a diagram showing an example of a data format used todistribute an enabling key block (EKB) together with a content key andcontent, in the processing system according to the present invention.

FIG. 9 is a diagram showing an example of a process performed by adevice in a case where an enabling key block (EKB) is distributedtogether with a content key and content, in the processing systemaccording to the present invention.

FIG. 10 is a diagram showing correspondence between an enabling keyblock (EKB) and content for a case in which an enabling key block (EKB)and contents are stored on a storage medium, in the informationprocessing system according to the present invention.

FIG. 11 is diagram showing a process of distributing content using anenabling key block (EKB) in the information processing system accordingto the present invention, wherein, for the purpose of comparison, aprocess of distributing content according to a conventional technique isalso shown.

FIG. 12 is a diagram showing an authentication sequence using a commonkey cryptographic technique, performed in the information processingsystem according to the present invention.

FIG. 13 is a diagram showing (a first example of) a data format used todistribute an enabling key block (EKB) together with an authenticationkey and an example of a process performed by a device, in theinformation processing system according to the present invention.

FIG. 14 is a diagram showing (a second example of) a data format used todistribute an enabling key block (EKB) together with an authenticationkey and an example of a process performed by a device, in theinformation processing system according to the present invention.

FIG. 15 is a diagram showing an authentication sequence using a publickey cryptographic technique, performed in the information processingsystem according to the present invention.

FIG. 16 is a diagram showing a process of transmitting an enabling keyblock (EKB) together with a content key using authentication using apublic key cryptographic technique, in the processing system accordingto the present invention.

FIG. 17 is a diagram showing a process of transmitting an enabling keyblock (EKB) together with an encrypted program data, in the processingsystem according to the present invention.

FIG. 18 is a diagram showing an example of a process of producing an MACvalue used to produce a content integrity check value (ICV), in theinformation processing system according to the present invention.

FIG. 19 is a diagram showing (a first example of) a data format used totransmit an enabling key block (EKB) together with an ICV generationkey, in the information processing system according to the presentinvention.

FIG. 20 is a diagram showing (a second example of) a data format used totransmit an enabling key block (EKB) together with an ICV generationkey, in the information processing system according to the presentinvention.

FIG. 21 is a diagram showing a method of preventing data from beingcopied, by storing an integrity check value (ICV) in a medium, in theinformation processing system according to the present invention.

FIG. 22 is a diagram showing a method of managing a content integritycheck value (ICV) separately from a content storage medium, in theinformation processing system according to the present invention.

FIG. 23 is a diagram showing an example of categorization using categorysubtrees in a hierarchical tree structure, in the information processingsystem according to the present invention.

FIG. 24 is a diagram showing a process of producing a simplifiedenabling key block (EKB), in the information processing system accordingto the present invention.

FIG. 25 is a diagram showing a process of producing an enabling keyblock (EKB), in the information processing system according to thepresent invention.

FIG. 26 is a diagram showing a (first example of) simplified enablingkey block (EKB), used in the information processing system according tothe present invention.

FIG. 27 is a diagram showing a (second example of) simplified enablingkey block (EKB), used in the information processing system according tothe present invention.

FIG. 28 is a diagram showing a manner of managing category trees in ahierarchical tree structure, in the information processing systemaccording to the present invention.

FIG. 29 is a diagram showing the detailed manner of managing categorytrees in a hierarchical tree structure, in the information processingsystem according to the present invention.

FIG. 30 is a diagram showing a manner of managing category trees in ahierarchical tree structure, in the information processing systemaccording to the present invention.

FIG. 31 is a diagram showing a reserved node used in management categorytrees in a hierarchical tree structure, in the information processingsystem according to the present invention.

FIG. 32 is a diagram showing a new category tree registration sequencein management of category trees in a hierarchical tree structure, in theinformation processing system according to the present invention.

FIG. 33 is a diagram showing the relationship between a new categorytree and a higher-level category tree in management of category trees ina hierarchical tree structure, in the information processing systemaccording to the present invention.

FIG. 34 is a diagram showing a sub-EKB used in management of categorytrees having a hierarchical tree structure, in the informationprocessing system according to the present invention.

FIG. 35 is a diagram showing a device revocation process performed inmanagement of category trees having a hierarchical tree structure, inthe information processing system according to the present invention.

FIG. 36 is a diagram showing a device revocation sequence performed inmanagement of category trees having a hierarchical tree structure, inthe information processing system according to the present invention.

FIG. 37 is a diagram showing a sub-EKB renewed in response to devicerevocation in management of category trees having a hierarchical treestructure, in the information processing system according to the presentinvention.

FIG. 38 is a diagram showing a category tree revocation processperformed in management of category trees in the form of a hierarchicaltree structure, in the information processing system according to thepresent invention.

FIG. 39 is a diagram showing a category tree revocation sequenceperformed in management of category trees in the form of a hierarchicaltree structure, in the information processing system according to thepresent invention.

FIG. 40 is a diagram showing the relationship between a revoked categorytree and a higher-level category tree in management of category trees inthe form of a hierarchical tree structure, in the information processingsystem according to the present invention.

FIG. 41 is a diagram showing setting of capabilities in management ofcategory trees in the form of a hierarchical tree structure, in theinformation processing system according to the present invention.

FIG. 42 is a diagram showing setting of capabilities in management ofcategory trees in the form of a hierarchical tree structure, in theinformation processing system according to the present invention.

FIG. 43 is a diagram showing a capability management table managed by akey distribution center (KDC) in the information processing systemaccording to the present invention.

FIG. 44 is a flow chart of a process of producing an EKB on the basis ofa capability management table managed by a key distribution center (KDC)in the information processing system according to the present invention.

FIG. 45 is a diagram showing a capability notification process performedwhen a new category tree is registered, in the information processingsystem according to the present invention.

FIG. 46 is a diagram showing a category trees used in the informationprocessing system according to the present invention.

FIG. 47 is a diagram showing examples of processes performed among anEKB requester, a key distribution center, and a top-level categoryentity (TLCE), in the information processing system according to thepresent invention.

FIG. 48 is a diagram showing an example of hardware configurations of anEKB requester, a key distribution center, and a top-level categoryentity (TLCE), in the information processing system according to thepresent invention.

FIG. 49 is a diagram showing device node key (DNK) set held by a devicein the information processing system according to the present invention.

FIG. 50 is a diagram showing a data format of an EKB type definitionlist used in the information processing system according to the presentinvention.

FIG. 51 is a flow chart of an EKB type registration process performed inthe information processing system according to the present invention.

FIG. 52 is a flow chart of an EKB type revocation process performed inthe information processing system according to the present invention.

FIG. 53 is a flow chart of a tree change notification process, performedin the information processing system according to the present invention.

FIG. 54 is a flow chart of an EKB type list requesting process performedin the information processing system according to the present invention.

FIG. 55 is a diagram showing an sub-EKB production process performed inthe information processing system according to the present invention.

FIG. 56 is a diagram showing an sub-EKB production process performed inthe information processing system according to the present invention.

FIG. 57 is a diagram showing a process of producing an EKB by combiningsub-EKB's in the information processing system according to the presentinvention.

FIG. 58 is a diagram showing a process of producing a sub-EKB in asituation in which there is a device to be revoked, in the informationprocessing system according to the present invention

FIG. 59 is a diagram showing a process of producing an EKB by combiningsub-EKB's in a situation in which there is a device to be revoked, inthe information processing system according to the present invention.

FIG. 60 is a diagram showing a data format of a combined EKB producedfrom sub-EKB's used in the information processing system according tothe present invention.

FIG. 61 is a diagram showing a data format of a combined EKB producedfrom sub-EKB's used in the information processing system according tothe present invention.

FIG. 62 is a diagram showing a data format of a combined EKB which isproduced from sub-EKB's in a situation in which there is a device to berevoked, in the information processing system according to the presentinvention.

FIG. 63 is a diagram showing a revocation process in data distributionsystem in the information processing system according to the presentinvention.

FIG. 64 is a diagram showing a revocation process in a recording systemin the information processing system according to the present invention.

DETAILED DESCRIPTION

Outline of System

FIG. 1 illustrates an example of a content distribution system based onan information processing system according to the present invention. Adevice on a content transmission side 10 transmits content or a contentkey in an encrypted form to various devices on a content reception side20. A device on the reception side 20 plays back video data or audiodata or executes a program using the content or the content key acquiredby decrypting the received encrypted content or encrypted content key.Transmission of data between the content transmission side 10 and thecontent reception side 20 is performed via a network such as theInternet or via a distributable storage medium such as a DVD or a CD.

Specific examples of transmission means used on the content transmissionside 10 include the Internet 11, satellite broadcasting 12, a telephoneline 13, and a medium 14 such as a DVD or CD. Specific examples ofdevices on the content reception side 20 include a personal computer(PC) 21, a portable computer (PD) 22, a portable device 23 such as aportable telephone or PDA (Personal Digital Assistant), arecording/playing-back apparatus 24 such as a DVD player or a CD player,and a playback device 25 such as a game terminal. The devices on thecontent reception side 20 can acquire a content transmitted from thecontent transmission side 10 via communication means such as a networkor via a medium 30.

Device Configuration

FIG. 2 is a block diagram illustrating a configuration of arecording/reproducing apparatus 100 that is an example of devices on thecontent reception side 20 shown in FIG. 1. The recording/reproducingapparatus 100 includes an input/output interface 120, an MPEG (MovingPicture Experts Group) codec 130, an input/output interface 140including an A/D and D/A converter 141, cryptography(encryption/description) means 150, a ROM (Read Only Memory) 160, a CPU(Central Processing Unit) 170, a memory 180, and a drive 190 for drivinga storage medium 195, wherein these parts are connected to each othervia a bus 110.

The input/output interface 120 receives a digital signal representingcontent such as video data, audio data, or a program provided from theoutside and outputs the received digital signal over the bus 110. Theinput/output interface 120 also receives a digital signal via the bus110 and outputs the received digital signal to the outside. The MPEGcodec 130 MPEG-decodes MPEG-coded data supplied via the bus 110 andoutputs the resultant decoded data to the input/output interface 140.The MPEG codec 130 also MPEG-encodes a digital signal supplied from theinput/output interface 140 and outputs the resultant encoded signal overthe bus 110. The input/output interface 140 includes the A/D and D/Aconverter 141. The input/output interface 140 receives content in theform of an analog signal from the outside and converts it into digitalform using the A/D and D/A converter 141. The resultant digital signalis output to the MPEG codec 130. Conversely, if the input/outputinterface 140 receives a digital signal from the MPEG codec 130, theinput/output interface 140 converts it into analog form using the A/Dand D/A converter 141 and outputs the resultant analog signal to theoutside.

The cryptography means 150 is formed of, for example, a one-chip LSI(Large Scale Integrated Circuit) so as to serve to encrypt/decrypt adigital content signal supplied via the bus 110 and also serve toperform authentication. The resultant encrypted/decrypted data is outputover the bus 110. The cryptography means 150 may be realized not onlyusing a one-chip LSI but may also be realized by software or acombination of software and hardware. A specific manner of forming thecryptography means 150 using software will be described later.

The ROM 160 stores program data used by the recording/reproducingapparatus. The CPU 170 controls various parts such as the MPEG codec 130and the cryptography means 150 by executing the program stored in theROM 160 or the memory 180. The memory 180 may be realized using, forexample, a nonvolatile memory so as to serve to store the programexecuted by the CPU 170 or data used by the CPU 170. Key sets used inthe encryption/decryption process performed by the device are alsostored in the memory 180. The key sets will be described later. Thedrive 190 reads (reproduces) digital data from the storage medium 195 bydriving the storage medium 195 capable of storing and reproducingdigital data, and the drive 190 outputs the read digital data over thebus 110. Conversely, if digital data is received via the bus 110, thedrive 190 supplies the received data to the storage medium 195 so thatthe digital data is stored onto the storage medium 195.

The storage medium 195 is a medium capable of storing digital data, andspecific examples thereof include an optical disk such as a DVD or a CD,a magnetooptical(MO) disk, a magnetic disk, a magnetic tape, or asemiconductor memory such as a RAM. In the present embodiment, thestorage medium 195 is assumed to be removably mounted on the drive 190,although the storage medium 195 may be disposed in a fixed fashion inthe recording/reproducing apparatus 100.

The cryptography means 150 shown in FIG. 2 may be realized using aone-chip LSI or using software or a combination of software andhardware.

Distribution Keys on the Basis of a Tree Structure

A manner of assigning an encryption key to each device and a manner ofdistribution data are described below for a case in which encrypted datais transmitted from a device on the transmission side 10 to a device onthe reception side 20 shown in FIG. 1.

In FIG. 3, numbers from 0 to 15 at the bottom denote respective deviceson the content reception side 20. That is, leaves in the hierarchicaltree structure shown in FIG. 3 denote respective devices.

When devices 0 to 15 are produced or shipped, or at a proper timethereafter, a key set including a leaf key assigned to a leafcorresponding to a device and also including node keys assigned torespective nodes present in a path from that leaf to the root in thehierarchical tree structure shown in FIG. 3 is stored in each device.K0000 to K1111 shown at the bottom of FIG. 3 denote leaf keys assignedto the respective devices 0 to 15, and KR to K111 at levels from the topto the second level as counted from the bottom denote node keys.

In the tree structure shown in FIG. 3, for example, a device 0 has aleaf key K0000 and node keys K000, K00, K0, and KR. Similarly, a device5 has K0101, K010, K01, K0, and KR, and a device 15 has K1111, K111, K11K1, and KR. Although in the specific example shown in FIG. 3, the treeincludes only sixteen devices 0 to 15 and the tree has a symmetricfour-level structure, the tree may include a greater number of devicesand may have a different number of levels other than 4.

Each device in the tree structure shown in FIG. 3 may be of varioustypes which may use various types of storage media such as a storagedevice fixedly disposed in a device or a removable storage medium suchas a DVD, a CD, an MD, or a flash memory. Furthermore, various types ofapplication services may be provided via this tree structure. That is,the hierarchal tree structure for use in distribution of content orcontent keys, such as that shown in FIG. 3, is formed so as to adapt tosuch various types devices and various types applications.

In a system including such various types of devices and various types ofapplications, parts thereof are properly grouped. For example, in FIG.3, a part enclosed by a dotted line is set as one group includingdevices 0, 1, 2, and 3, which use the same type of storage medium. Forthe devices included in this group enclosed by the dotted line, commoncontent in an encrypted form may be transmitted at the same time from aprovider, or a content key that can be used by all devices in the groupmay be transmitted. Each device in the group transmits content paymentdata in an encrypted form to a provider or a clearance institution. Whencontent providers or institutions such as a clearance institutiontransmit data to devices, they may transmit data at the same time to alldevices 0, 1, 2, and 3 in the group enclosed by the dotted line in FIG.3. The tree shown in FIG. 3 may include a plurality of such groups.Content providers or institutions such as a clearance institution, whichtransmit and receive data to and from devices, function as message datadistribution means.

All node keys and leaf keys may be managed in a unified fashion by onekey management center, or node keys and leaf keys may be managed on agroup-by-group basis by message data distribution means such asproviders or clearance institutions that transmit and receive data toand from the respective groups. In a case where secrecy of a key isbroken, node keys and leaf keys are renewed by the key managementcenter, the providers, or the clearance institutions.

In the present tree structure, as can be seen from FIG. 3, all fourdevices 0, 1, 2, and 3 included in one group have common node keys K00,K0, and KR. Use of such common node keys makes it possible to provide,for example, a common content key only to the devices 0, 1, 2, and 3.For example, if the node key K00 that are held by all devices 0, 1, 2,and 3 is employed as a content key, it is possible to provide thecontent key that can be used in common only by the devices 0, 1, 2, and3, without necessitating an additional key transmission process. If acontent key Kcon is encrypted using the node key K00 and a valueEnc(K00, Kcon) obtained as a result of encryption is distributed to thedevices 0, 1, 2, and 3 via a network or a storage medium, then only thedevices 0, 1, 2, and 3 can acquire the content key Kcon by decryptingthe encryption value Enc(K00, Kcon) using the node key K00 that are heldin common by these devices. Herein, Enc(Ka, Kb) denotes data that isobtained by encrypting Kb using Ka.

At a some point of time t, if it turns out that keys K0011, K001, K00,K0, and KR held by the device 3 have been analyzed by a hacker andsecrecy of the key has been broken, it is needed to isolate the device 3from the system to protect data transmitted or received in the system(the group including the devices 0, 1, 2, and 3). For this purpose, itis needed to change the node keys K001, K00, K0, and KR to new keysK(t)001, K(t)00, K(t)0, K(t)R and transmit the new keys to the devices0, 1, and 2. Herein, K(t)aaa denotes a renewed key of generation of tobtained by renewing a key Kaaa.

Distribution of renewed keys is described below. Renewal of keys isachieved by supplying a table representing block data called an enablingkey block (EKB) such as that shown in FIG. 4(A) to the devices 0, 1, and2 via a network or a storage medium. The enabling key block (EKB)includes encrypted new keys to be distributed to devices correspondingto leaves in the tree structure shown in FIG. 3. The enabling key block(EKB) is also called a key renewal block (KRB).

The enabling key block (EKB) shown in FIG. 4(A) includes block data thatcan be used for renewal of keys only by devices that need renewal ofnode keys. In the specific example shown in FIG. 4(A), the block data isproduced for the purpose of distributing renewed node keys of generationof t to the devices 0, 1, and 2 in the tree structure shown in FIG. 3.As can be seen from FIG. 3, the devices 0 and 1 need K(t)00, K(t)0, andK(t)R as renewed node keys, and the device 2 needs K(t)001, K(t)00,K(t)0, and K(t)R as renewed node keys.

As can be seen from FIG. 4(A), the EKB includes a plurality of encryptedkeys. An encrypted key Enc(K0010, K(t)001) described at the bottom isproduced by encrypting renewed node key K(t)001 by the leaf key K0010held by the device 2, and thus the device 2 can acquire the renewed nodekey K(t)001 by decrypting Enc(K0010, K(t)001) using the leaf key of thedevice 2. Using this renewed node key K(t)001 obtained via decryption,an encrypted key Enc(K(t)001, K(t)00) in the second row as counted fromthe bottom in FIG. 4(A) can be decrypted into the renewed node keyK(t)00. Similarly, an encrypted key Enc(K((t)00, K(t)0) in the secondrow as counted from the top in FIG. 4(A) can be decrypted into therenewed node key K(t)0, and an encrypted key Enc(K(t)0, K(t)R) at thetop in FIG. 4(A) can be decrypted into K(t)R. On the other hand, for thedevices K0000 and K0001, the node key K000 is not needed to renew, andthus only renewed keys K(t)00, K(t)0, and K(t)R are needed for thedevices K0000 and K0001. The devices K0000 and K0001 acquire K(t)00 bydecrypting an encrypted key Enc(K000, K(t)00) at the third row ascounted from the top in FIG. 4(A), and acquire the renewed node keyK(t)0 by decrypting the encrypted key Enc(K(t)00, K(t)0) at the secondrow as counted from the top in FIG. 4(A). Furthermore, K(t)R is acquiredby decrypting the encrypted key Enc(K(t)0, K(t)R) at the top in FIG.4(A). In this way, the devices 0, 1, and 2 can acquire the renewed keyK(t)R. In FIG. 4(A), indexes indicate the absolute addresses of the nodekeys and leaf keys used as decryption keys.

In a case where the node keys K(t)0 and K(t)R in high levels of the treestructure shown in FIG. 3 are not needed to renew, but only the node keyK00 is needed to renew, the enabling key block (EKB) may be formed suchas shown in FIG. 4(B) whereby the renewed node key K(t)00 can bedistributed to the devices 0, 1, and 2.

The EKB shown in FIG. 4(B) may be used to distribute a new content keyto be used in common by a particular group. For example, let us assumethat the devices 0, 1, 2, and 3 in the group enclosed by the dotted linein FIG. 3 use a particular type of storage media and that a new commoncontent key K(t)con is needed. In this case, the renewed content keyK(t)con for use in common is encrypted using K(t)00 obtained by renewingthe node key K00 used in common by the devices 0, 1, 2, and 3, andresultant encrypted data Enc(K(t), K(t)con) is distributed together withthe EKB shown in FIG. 4(B). This method of distribution allows data tobe distributed such that the distributed data cannot be decrypted by theother devices, such as the device 4.

That is, the devices 0, 1, and 2 can acquire the content key K(t)conthat is valid at the point of time t by decrypting the encrypted datadescribed above using K(t)00 that can be obtained by processing the EKB.

Distribution of Content Key Using EKB

FIG. 5 illustrates a specific example of a process performed by thedevice 0 to obtain the content key K(t)con which is valid at the pointof time t from the data Enc(K(t)00, K(t)con), which has been produced byencrypting the new common content key K(t)con using K(t)00 and suppliedtogether with the EKB shown in FIG. 4(B) to the device 0 via a storagemedium. In this case, the content key K(t)con is message data encryptedby the EKB.

As shown in FIG. 5, the device 0 produces the node key K(t)00 byprocessing the EKB of the generation of t stored on the storage mediumusing the node key K000, which is already held by the device 0, in asimilar manner as described above. Thereafter, the renewed content keyK(t)con is acquired by means of decryption using the renewed node keyK(t)00. Furthermore, the renewed content key K(t)con is encrypted usingthe leaf key K0000 held only by the device 0 so that the content keyK(t)con can be used at any time thereafter.

Format of EKB

FIG. 6 shows an example of a format of an enabling key block (EKB). Aversion 601 is an identifier indicating the version of the enabling keyblock (EKB). The version serves not only to identify the newest EKB butalso to indicate the correspondence with contents. The depth 602indicates the number of layers of a hierarchical tree of devices towhich the enabling key block (EKB) is distributed. A data pointer 603points to a location of a data field in the enabling key block (EKB). Atag pointer 604 points to a location of a tag field, and a signaturepointer 605 points to a location of a signature.

The data field 606 is used to store encrypted data such as a renewednode key. For example, data of encrypted keys associated with a renewednode key, such as that shown in FIG. 5, is stored in the data field 606.

The tag field 607 is used to store tags indicating the locations of theencrypted node keys and leaf key stored in the data field 606. The ruleof determining the tags is described below with reference to FIG. 7. Ina specific example shown in FIG. 7, the enabling key block (EKB)described above with reference to FIG. 4(A) is transmitted as the data.A table (b) in FIG. 7 shows the data that is transmitted in thisspecific example. Herein, the address of a top node in the encryptedkeys is referred to as a top node address. In this case, because arenewed root key K(t)R is included in the encrypted keys, the top nodeaddress becomes KR. The data Enc(K(t)0, K(t)R) at the top correspond toa location of the hierarchical tree shown in (a) of FIG. 7. The locationin the hieratical tree for the next data Enc(K(t)00, K(t)0) is lowerleft to the location of the previous data. When there is data, the tagis set to 0, while the tag is set to 1 when there is no data. The tag isrepresented in the form of {L-tag, R-tag}, wherein L-tag denotes a lefttag and R-tag denotes a right tag. In the case of the data Enc(K(t)0,K(t)R) in the top row, there is data to the left thereof, and thus theL-tag is set to 0, while the R-tag is set to 1 because there is no datato the right thereof. Tags are set for all data in a similar manner. Asa result, a sequence of data and a sequence of tags are produced asshown in FIG. 7( c).

The tags indicate the locations of data Enc(Kxxx, Kyyy) in the treestructure. Key data Enc(Kxxx, Kyyy) stored in the data field is a simplesequence of encrypted keys, and thus the tags are used to indicate thelocations, in the tree, of encrypted keys stored in the data field 606.Instead of using the tags, the locations in the tree may be representedby adding node indexes to the corresponding encrypted data, as describedearlier with reference to FIG. 4. More specifically, the node indexesmay be added as follows:

0: Enc (K(t)0, K(t)root)

00: Enc (K(t)00, K(t)0)

000: Enc (K (t) 000, K (T) 00)

and so on. However, use of the indexes results in redundancy in thedata, and thus a greater data size is needed to describe the data, whichis undesirable in transmission via a network. In contrast, if the tagsare used as index data indicating the locations of keys, the locationsof keys can be indicated by data with a smaller data size.

Referring back to FIG. 6, the format of EKB is described further. Asignature is a digital signature written by a key management center, acontent provider, or a clearance institution, which has issued theenabling key block (EKB). When a device receives the EKB, the deviceverifies the signature to determine whether the received enabling keyblock (EKB) is a correct one issued by an authorized enabling key block(EKB) issuer.

Distribution of a Content Key and Content Using an EKB

In the example described above, only the content key is transmittedtogether with the EKB. Content encrypted using a content key may also betransmitted together with a content key encrypted using a content keyencryption key and the content key encryption key encrypted using anEKB, as described below.

FIG. 8 shows a data format used for the present purpose. In the dataformat shown in FIG. 8( a), Enc(Kcon, content) 801 denotes data producedby encrypting the content using the content key (Kcon). Enc(KEK, Kcon)802 is data produced by encrypting the content key (Kcon) using thecontent key encryption key (KEK). Enc(EKB, KEK) 803 denotes dataproduced by encrypting the content key encryption key KEK using theenabling key block (EKB).

Herein, the node key (K000, K00, . . . ) shown in FIG. 3 or the root key(KR) may be employed as the content key encryption key KEK, or a keyencrypted using the node key (K000, K00, . . . ) or the root key (KR)may be employed.

FIG. 8( b) shows a data format that may be used when a plurality ofcontents are stored on a medium, and all contents use the same encrypteddata Enc(EKB, KEK) 805. In this case, data pointing to Enc(EKB, KEK) isadded to the respective content data, instead of adding the sameEnc(EKB, KEK) to the respective content data.

FIG. 9 shows an example in which the content key encryption key KEK isemployed as a renewed node key K(t)00 to be used instead of the node keyK00 shown in FIG. 3. In the case where the device 3 in the groupenclosed by the dotted line in FIG. 3 has been revoked because ofexposure of secrecy of a key, if the enabling key block (EKB) shown inFIG. 9( a), data produced by encrypting the content key (Kcon) using thecontent key encryption key (KEK=K(t)00) shown in FIG. 9( b), and dataproduced by encrypting the content using the content key (Kcon) shown inFIG. 9( c) are supplied to the other members in the group, that is, tothe devices 0, 1, and 2, the devices 0, 1, and 2 can acquire thecontent.

A decryption procedure performed by the device 0 is shown on theright-hand side of FIG. 9. First, the device 0 acquires the content keydecryption key (KEK=K(t)00) from the received enabling key block byperforming a decryption process using the leaf key K000 held by thedevice 0. The device 0 then acquires the content key Kcon by means ofdecryption using K(t)00 and finally acquires the content by means ofdecryption using the content key Kcon. Thus, the device 0 can obtain thecontent. Similarly, the devices 1 and 2 can acquire the content keyencryption key (KEK=K(t)00) by processing the EKB according to their ownprocedures and can further acquire the content.

Even if the devices 4, 5, 6, and so on of the other groups shown in FIG.3 received similar data (EKB), they cannot acquire the content keyencryption key (KEK=K(t)00) using the leaf keys or node keys held bythem. The revoked device 3 can also not acquire the content keyencryption key (KEK=K(t)00) using the leaf key or node keys held by thedevice 3. Thus, only the authorized devices can decrypt the content andcan use the decrypted content.

Thus, the above-described method of transmitting a content key using anEKB makes it possible to securely distribute encrypted content using asmall amount of data such that only authorized users can decrypt theencrypted content.

In the example described above, the enabling key block (EKB), thecontent key, and the encrypted content are securely distributed via thenetwork. Alternatively, the enabling key block (EKB), the content key,and the encrypted content may be stored on a storage medium such as aDVD or a CD and the storage medium may be supplied to a user therebyproviding the enabling key block (EKB), the content key, and theencrypted content to the user. In this case, if the encrypted contentand the enabling key block (EKB) are stored on the same storage mediumso that the encrypted content can be decrypted using the content keythat can be obtained by decrypting the enabling key block (EKB), it ispossible to realize a simple content distribution system that allowsonly limited authorized user devices to use distributed encryptedcontent by decrypting it using a leaf key or node keys held by the userdevices.

FIG. 10 shows an example in which encrypted contents and enabling keyblocks (EKB) are stored together on a storage medium. In this specificexample shown in FIG. 10, contents C1 to C4 are stored on a storagemedium, and data indicating the correspondence between the respectivecontents and enabling key blocks (EKB) is stored on the same storagemedium, and furthermore an enabling key block of version M (EKB_M) isalso stored. For example, EKB_1 is used to produce a content key Kcon1used to encrypt the content C1, and EKB_2 is used to produce a contentkey Kcon2 used to encrypt the content C2. In this example, because theenabling key block (EKB_M) of version M is stored on the storage medium,and because the contents C3 and C4 are related to the enabling key block(EKB_M), it is possible to acquire the content key for the contents C3and C4 by decrypting the enabling key block (EKB_M). On the other hand,because EKB_1 and EKB_2 are not stored on the disk, it is needed toacquire them via another means such as a network communication oranother storage medium to decrypt the content keys C1 and C2.

FIG. 11 shows a comparison between a process of distributing a contentkey using an EKB and a process of distributing a content key accordingto the conventional technique, for a case in which the content keys aredistributed among a plurality of devices. The conventional technique isshown in the upper half area (a) of FIG. 11, and the technique using theenabling key block (EKB) according to the present invention is shown inthe lower half area (b) of FIG. 11. In FIG. 11, Ka(Kb) denotes dataproduced by encrypting Kb using Ka.

In the conventional technique, as shown in (a), authentication and keyexchange (AKE) are performed between devices to verify that transmittingand receiving devices are authorized devices and to produce a sessionkey Kses to be used in common by both devices. If and only if theauthentication is successfully passed, a content key Kcon is encryptedusing the session key Kses and the resultant encrypted data istransmitted.

For example, a PC shown in FIG. 11( a) can acquire Kcon by decryptingencrypted content key Kses(Kcon) using a received session key.Furthermore, the PC can encrypt the acquired content key Kcon using astorage key Kstr held by the PC and store resultant encrypted data intoa memory of the PC.

In FIG. 11( a), even in a case where a content provider wants totransmit data such that only a storage device 1101 shown in FIG. 11( a)can use the data, if there are a PC and a playback apparatus between thecontent provider and the storage device 1101, it is needed to performauthentication as shown in FIG. 11( a) and then transmit a content keyencrypted using a session key. In this case, the PC and the playbackapparatus existing between them can acquire the content key bydecrypting the encrypted content key using the session key produced viathe authentication process and acquired by the PC and the playbackapparatus.

On the other hand, in the example shown in the lower half area (b) ofFIG. 11 in which a content provider transmits an enabling key block(EKB) and data (Eroot(Kcon)) in the specific example shown in FIG. 11(b)) produced by encrypting a content key Kcon using a node key or a rootkey that is obtained by processing the enabling key block (EKB), only adevice which can process the received EKB can perform decryption toacquire the content key Kcon.

Therefore, if an enabling key block (EKB) is produced such that it canbe used only by a device (e.g., storage medium) located on the right endin FIG. 11( b), and if the enabling key block (EKB) is transmittedtogether with data produced by encrypting a content key Kcon using anode key or a root key that can be obtained by processing the EKB, adevice such as a PC or a playback apparatus existing between the contentprovider and the device on the right end cannot process the EKB usingthe leaf key or node key held in the PC or the playback apparatus.Therefore, it is possible to securely transmit a content key that can beused only with an authorized device without necessitating a processbetween transmitting and receiving devices, such as authentication,production of a session key, and encryption of the content key Kconusing the session key.

When it is desired to transmit a content key such that it can also beused by the PC and the playback apparatus, if an enabling key block(EKB) is produced such that it can be processed by any of these deviceswhich should be allowed to use the content key, and if the resultant EKBis transmitted, then these device can acquire the content key.

Distribution of an Authentication Key Using an Enabling Key Block (EKB)(By Means of Common Key Cryptography)

In the distribution of data or a key using an enabling key block (EKB)according to the above-described technique, the enabling key block (EKB)and the content or the content key that are transmitted between devicesare encrypted into the same form. Therefore, there is a possibility thatan unauthorized copy is made by a so-called replay attack technique inwhich data is stolen and recorded by tapping a data transmission lineand the recorded data is transferred later. To prevent data from beingcopied in an unauthorized manner, it is effective to performauthentication and key exchange as in the conventional technique. Thus,herein, a technique is disclosed in which an authentication key Kakeused in authentication and key exchange is transmitted to a device. Thisis done using an enabling key block (EKB) according to theabove-described technique, thereby allowing the common authenticationkey to be used as a secure secret key and thus allowing authenticationto be performed according to the common key cryptography technique. Thatis, in this technique, the authentication key is transmitted as messagedata encrypted by an EKB.

FIG. 12 shows a mutual authentication method using common keycryptography (according to ISO/IEC9798-2). In the example shown in FIG.12, a common key cryptography technique based on the DES is employed,another similar common key cryptography technique may also be employed.In FIG. 12, a device B first generates a 64-bit random number Rb andtransmits Rb, together with an identifier ID(b) of the device B, to adevice A. In response to receiving Rb and ID(b), the device A generatesa 64-bit random number Ra and encrypts Ra, Rb, and ID(b) using a key Kabin the CBC mode of the DES, in the order of Ra, Rb, and ID(b). Theresultant encrypted data is returned to the device B. Herein, the keyKab is a key that is used as a secret key in common by the devices A andB and that is stored in a storage device of each of the devices A and B.The encryption using the key Kab in the CBC mode of the DES may beperformed as follows. In the process using the DES, the exclusive ORbetween the initial value and Ra is calculated and the result isencrypted by the DES encryption unit using a key Kab, thereby obtainingencrypted data E1. The exclusive OR between E1 and Rb is calculated andthe result is encrypted by the DES encryption unit using the key Kab,thereby obtaining encrypted data E2. Furthermore, the exclusive ORbetween the encrypted data E3 and ID(b) is calculated, and the result isencrypted by the DES encryption unit using the key Kab, therebyobtaining encrypted data E3. The obtained encrypted data E1 to E3(Token-AB) are transmitted.

If the device B receives the encrypted data, the device B decrypts thereceived data using the key Kab (authentication key) as the secret keyused in common. More specifically, the decryption of the received datais performed as follows. First, the encrypted data E1 is decrypted usingthe authentication key Kab to obtain the random value Ra. Thereafter,the encrypted data E2 is decrypted using the authentication key Kab. Rbis obtained by calculating exclusive OR between the resultant decrypteddata and E1. Finally, the encrypted data E3 is decrypted using theauthentication key Kab, and exclusive OR between the resultant decrypteddata and E2 is calculated to obtain ID(b). Of Ra, Rb, and ID(b) obtainedvia the above process, Rb and ID(b) are compared with those transmittedfrom the device B to verify whether they are identical. If theverification is successfully passed, the device B determines that thedevice A is an authorized device.

Thereafter, the device B generates a session key (Kses) which will beused after the authentication (the session key Kses is generated using arandom number). Rb, Ra, and Kses are encrypted, in this order, using theauthentication key Kab in the CBC mode of the DES and transmitted to thedevice A.

Upon receiving the data, the device A decrypts the received data usingthe authentication key Kab. The received data can be decrypted in asimilar manner to decryption performed by the device B, and thus it isnot described in further detail herein. Thus, Rb, Ra and Kses areobtained, and Rb and Ra are compared with the original data transmittedfrom the device A. If the verification is successfully passed, thedevice A determines that the device B is an authorized device. Incommunication performed after the mutual authentication has beensuccessfully passed, the session key Kses is used to secure the secrecy.

In the case where the received data is determined as being invalid inthe above-described verification, the mutual authentication fails andthe process is terminated.

In the authentication process described above, the authentication keyKab is used in common by both devices A and B. This common key Kab istransmitted to the devices by means of the above-described techniqueusing an enabling key block (EKB).

More specifically, in the example shown in FIG. 12, one of devices A andB produces an enabling key block (EKB) such that it can be decrypted bythe other device, and said one of devices further encrypts theauthentication key Kab using the produced enabling key block (KEB) andtransmits the resultant encrypted data to the other device.Alternatively, a third party may produce an enabling key block (EKB)that can be used by both devices A and B, and may transmit anauthentication key Kab encrypted using the produced enabling key block(EKB) to the devices A and B.

FIGS. 13 and 14 show examples of processes of transmitting a commonauthentication key Kake to a plurality of devices by means of thetechnique using an enabling key block (EKB). In the example shown inFIG. 13, an authentication key Kake that can be decrypted by devices 0,1, 2, and 3 is transmitted to these devices. In the example shown inFIG. 14, of devices 0, 1, 2 and 3, the device 3 is revoked, and anauthentication key that can be decrypted only by devices 0, 1 and 2 istransmitted.

In the example shown in FIG. 13, data (b) produced by encrypting anauthentication key Kake using a renewed node key K(t)00 is transmittedtogether with an enabling key block (EKB) produced such that the renewednode key K(t)00 can be obtained by decrypting the EKB using node keysand leaf keys held by the respective devices 0, 1, 2, and 3. As shown onthe right-hand side of FIG. 13, each device first acquires the renewednode key K(t)00 by processing (decrypting) the EKB and then acquires theauthentication key Kake by decrypting the encrypted authentication keyEnc(K(t)00, Kake) using the acquired node key K(t)00.

Even if one of the other devices 4, 5, 6, 7, and so on receives the sameenabling key block (EKB), the device cannot process the EKB using a nodekey or a leaf key held by the device to acquire the renewed node keyK(t)00. Thus, it is possible to securely transmit the authentication keyonly to authorized devices.

On the other hand, in the example shown in FIG. 14, in a situation inwhich the device 3 in the group enclosed by the dotted line in FIG. 3has been revoked because of exposure of secrecy of a key, an enablingkey block (EKB) is produced such that it can be decrypted only by theother members of the group, that is, the devices 0, 1, and 2, and theproduced enabling key block (EKB) is transmitted. More specifically, theenabling key block (EKB) shown in FIG. 14( a) and the data, shown inFIG. 14( b), produced by encrypting the authentication key (Kake) usingthe node key (K(t)00) are transmitted together.

The decryption procedure is shown on the right-hand side of FIG. 14.Each device 0, 1, and 2 first acquires the renewed node key (K(t)00)from the received enabling key block by performing decryption using aleaf key or a node key held by the device. Thereafter, each deviceacquires the authentication key Kake by performing decryption usingK(t)00.

Even if one of the devices 4, 5, 6, and so on of the other groups shownin FIG. 3 received similar data (EKB), it cannot acquire the renewednode key (K(t)00) using a leaf key or a node key held by it. The revokeddevice 3 can also not acquire the renewed node key (K(t)00) using a leafkey or a node key held by it. Thus, only the authorized devices candecrypt the authentication key and can use it.

Thus, the above-described method of transmitting an authentication keyusing an EKB makes it possible to securely transmit an encryptedauthentication key using a small amount of data such that onlyauthorized users can decrypt the encrypted authentication key.

Distribution of a Content Key Using a Public Key Certificate and anEnabling Key Block (EKB)

Now, a method of distributing a content key using a public keycertificate and an enabling key block (EKB) is described below. First, amethod of mutual authentication using 160-bit elliptic-curvecryptography (ECC), which is one public key cryptography scheme, isdescribed below with reference to FIG. 15. Although ECC is employed asthe public key cryptography scheme in the process shown in FIG. 15,another similar symmetric key cryptography scheme may also be employed.Furthermore, the key size is not limited to 160 bits. In FIG. 15, first,a device B generates a 64-bit random number Rb and transmits it to adevice A. Upon receiving Rb, the device A generates a 64-bit randomnumber Ra and a ransom number Ak smaller than a prime number p. PointAv=Ak×G is calculated by multiplying a base point G by Ak. A digitalsignature A.Sig for Ra, Rb, and Av (X and Y coordinates) is thengenerated and transmitted together with a public key certificate of thedevice A to the device B. Herein, Ra and Rb have a length of 64 bits andthe X and Y coordinates of Av have a length of 160 bits, and thus thedigital signature is generated for a total length of 448 bits.

Upon receiving the public key certificate of the device A, Ra, Rb, Av,and the digital signature A.Sig, the digital device B verifies whetherRb received from the device A is equal to the original value generatedby the device B. If the verification indicates that Rb is equal to theoriginal value, the digital signature written in the public keycertificate of the device A is then verified using the public key of thecertificate authority, and the public key of the device A is extracted.Thereafter, the digital signature A.Sig is verified using the extractedpublic key of the device A.

Thereafter, the device B generates a random number Bk smaller than theprime number p. Thereafter, point Bv=Bk×G is calculated by multiplyingthe base point G by Bk. A digital signature B.Sig for Rb, Ra, By (X andY coordinates) is then generated and transmitted together with a publickey certificate of the device B to the device A.

Upon receiving the public key certificate of the device B, Rb, Ra, Av,and the digital signature B.Sig, the digital device A verifies whetherRa received from the device B is equal to the original value generatedby the device A. If the verification indicates that Ra is equal to theoriginal value, the digital signature written in the public keycertificate of the device B is then verified using the public key of thecertificate authority, and the public key of the device B is extracted.Thereafter, the digital signature B.Sig is verified using the extractedpublic key of the device B. If the verification of the digital signatureis successfully passed, the device A regards the device B as being anauthorized device.

If the mutual authentication is successfully passed, the device Bcalculates Bk×Av (by multiplying the point Av on the elliptic curve byBk which is a random number), and the device A calculates Ak×Bv.Lower-order 64 bits of the X coordinates of the resultant points areused as a session key during communication performed thereafter (in thecase where 64-bit keys are used as symmetric keys according to thesymmetric key cryptography). The session key may be generated from Ycoordinates. Instead of employing lower-order 64 bits, another set ofbits may also be employed. In secret communication performed after themutual authentication, a digital signature may be added to dataencrypted using a session key.

In the case where the digital signature or the received data isdetermined as being invalid in the above-described verification, themutual authentication fails and the process is terminated.

FIG. 16 shows an example of a process of distributing a content keyusing a public key certificate and an enabling key block (EKB). First,authentication is performed between a content provider and a PC by meansof the public key cryptography technique described above with referenceto FIG. 15. The content provider produces an EKB that can be decryptedusing a node key or a leaf key held by a playback apparatus or a storagemedium to which a content key is to be transmitted. Thereafter, theencrypted content key E(Kcon) produced by encrypting the content keyusing a renewed node key and the enabling key block (EKB) are encryptedusing a session key Kses produced via the authentication between thecontent provider and the PC, and the resultant data is transmitted tothe PC.

The PC decrypts, using the session key, the content key E(Kcon)encrypted using the renewed node key and the enabling key block (EKB),which were both encrypted using the session key, and transmits theresultant decrypted data to the playback apparatus and the storagemedium.

The playback apparatus and the storage medium acquire the content keyKcon by decrypting, using a node key or a leaf key held by them, thecontent key E(Kcon) encrypted using the renewed node key and theenabling key block (EKB).

In this method, if and only if authentication between the contentprovider and the PC is successfully passed, the content key E(Kcon)encrypted using the renewed node key and the enabling key block (EKB)are transmitted, thereby ensuring that data can be securely transmittedonly to an authorized device even in a situation in which secrecy of anode key has been exposed.

Distribution of a Program Code Using an Enabling Key Block (EKB)

In the examples described above, data such as a content key, anauthentication key, or the like is encrypted using an enabling key block(EKB) and resultant encrypted data is transmitted. Various kinds ofprogram codes may also be transmitted in a similar manner using anenabling key block (EKB). In this case, a program code is transmitted asmessage data encrypted using an EKB. The process is described in furtherdetail below.

FIG. 17 shows an example of a process of transmitting a program codebetween devices after encrypting it using, for example, a renewed nodekey included in an enabling key block (EKB). A device 1701 produces anenabling key block (EKB) that can be decrypted using a node key or aleaf key held by a device 1702 and also produces data by encrypting aprogram code using a renewed node key included in the enabling key block(EKB). The resultant enabling key block (EKB) and the encrypted data aretransmitted to the device 1702. The device 1702 acquires the renewednode key by processing the received EKB, and then acquires the programcode by decrypting the encrypted program code using the acquired renewednode key.

In the example shown in FIG. 17, the device 1702 further executes theacquired program code and returns the result to the device 1701.Depending on the result, the device 1701 performs a further process.

As described above, by transmitting an enabling key block (EKB) and aprogram code encrypted using a renewed node key included in the enablingkey block (EKB), it becomes possible to transmit the program code, whichcan be decrypted only by a specific device, to that specific device or aspecific group shown in FIG. 3.

Addition of an Integrity Check Value (ICV) to Content to be Transmitted

A method is now described for preventing content from being tamperedwith, by determining whether the content has been tampered with on thebasis of an integrity check value (ICV) calculated for the content.

The integrity check value (ICV) of content is calculated, for example,by applying a hash function to the content such that ICV=hash(Kicv, C1,C2, . . . ) wherein Kicv is an ICV generation key, and C1 and C2 areinformation associated with the content represented in messageauthentication codes (MAC).

FIG. 18 illustrates an example of a process of producing a MAC value bymeans of DES encryption. As shown in FIG. 18, a message to betransmitted is divided into parts each consisting of 8 bytes(hereinafter, divided parts of the message are denoted by M1, M2, . . ., MN). First, the exclusive OR between an initial value (IV) and M1 iscalculated (wherein the result is represented by I1). Thereafter, I1 isapplied to a DES encryption unit to encrypt I1 using a key (K1) (whereinthe encrypted output is denoted by E1). The exclusive OR between E1 andM2 is then calculated, and the result I2 is applied to the DESencryption unit to encrypt it using a key K1 (wherein the resultantoutput is denoted by E2). Thereafter, the above process is repeateduntil all parts of the message are encrypted. The final output EN isemployed as a message authentication code (MAC).

An integrity check value (ICV) of the content is produced by applying ahash function to the MAC value of the content and the ICV generationkey. The ICV generated on the basis of the content is compared with anICV that has been produced, for example, when the content is generatedand that is guaranteed as valid. If both values are identical, thecontent is determined to be valid without being tampered with. If theyare different, the content is determined to have been tampered with.

Distribution of a Generation Key Kicv of an Integrity Check Value (ICV.)Using an EKB

A process of transmitting a generation key Kicv of an integrity checkvalue (ICV) using an enabling key block (EKB) is described below. Thatis, in this case, the generation key Kicv of the integrity check value(ICV) authentication key is transmitted as message data encrypted usingthe EKB.

FIGS. 19 and 20 show specific examples of manners of transmitting, usingan enabling key block (EKB), an integrity check value generation keyKicv used to verify that the content has not been tampered with, in asituation in which the same content is transmitted to a plurality ofdevices. In the example shown in FIG. 19, an ICV generation key Kicvthat can be decrypted by devices 0, 1, 2, and 3 is transmitted to thesedevices. In the example shown in FIG. 20, of devices 0, 1, 2 and 3, thedevice 3 is revoked, and an ICV generation key Kicv that can bedecrypted only by devices 0, 1 and 2 is transmitted.

In the example shown in FIG. 19, data (b) produced by encrypting an ICVgeneration key Kicv using a renewed node key K(t)00 is transmittedtogether with an enabling key block (EKB) produced such that the renewednode key K(t)00 can be obtained by decrypting the EKB using node keysand leaf keys held by the respective devices 0, 1, 2 and 3. As shown onthe right-hand side of FIG. 19, each device first acquires the renewednode key K(t)00 by processing (decrypting) the EKB and then acquires theICV generation key Kicv by decrypting the encrypted ICV generation keyEnc(K(t)00, Kicv) using the acquired node key K(t)00.

Even if one of the other devices 4, 5, 6, 7, and so on receives the sameenabling key block (EKB), the device cannot process the EKB using a nodekey or a leaf key held by the device to acquire the renewed node keyK(t)00. Thus, it is possible to securely transmit the ICV generation keyonly to authorized devices.

On the other hand, in the example shown in FIG. 20, in a situation inwhich the device 3 (in the group enclosed by the dotted line in FIG. 3)has been revoked because of exposure of secrecy of a key, an enablingkey block (EKB) is produced such that it can be decrypted only by theother members of the group, that is, the devices 0, 1, and 2, and theproduced enabling key block (EKB) is transmitted. More specifically, theenabling key block (EKB) shown in FIG. 20( a) and the data, shown inFIG. 20( b), produced by encrypting the ICV generation key (Kicv) usingthe node key (K(t)00) are transmitted together.

The decryption procedure is shown on the right-hand side of FIG. 20.Each device 0, 1, and 2 first acquires the renewed node key (K(t)00)from the received enabling key block by performing decryption using aleaf key or a node key held by the device. Thereafter, each deviceacquires the ICV generation key Kicv by performing decryption usingK(t)00.

Even if one of the devices 4, 5, 6, and so on of the other groups shownin FIG. 3 received similar data (EKB), it cannot acquire the renewednode key (K(t)00) using a leaf key or a node key held by it. The revokeddevice 3 can also not acquire the renewed node key (K(t)00) using a leafkey or a node key held by it. Thus, only the authorized devices candecrypt the ICV generation key and can use it.

Thus, the above-described method of transmitting an ICV generation keyusing an EKB makes it possible to securely transmit the ICV generationkey using a small amount of data such that only authorized users candecrypt the encrypted ICV generation key.

As described above, by using the integrity check value (ICV) of thecontent, it is possible to prevent the EKB and the encrypted contentfrom being copied in an unauthorized manner. For example, as shown inFIG. 21, content C1 and content C2 are stored on a medium 1 togetherwith an enabling key block (EKB) from which content keys associated withthe contents C1 and C2 can be acquired. If the data is directly copiedonto a medium 2, the copied EKB and contents can be used by any devicethat can decrypt the EKB.

In contrast, in the example shown in FIG. 21( b), each authorized mediumincludes, stored thereon, an integrity check value (ICV(C1, C2))associated with contents in addition to the contents. Herein, ICV(C1,C2) denotes an integrity check value obtained by applying a hashfunction to the content C1 and the content C2 such that ICV=hash(Kicv,C1, C2). In the example shown in FIG. 21( b), the content 1 and thecontent 2 are stored on a medium 1 in an authorized manner, and theintegrity check value (ICV(C1, C2)) produced on the basis of the contentC1 and the content C2 is also stored thereon. On the other hand, thecontent 1 is stored on a medium 2 in an authorized manner, and theintegrity check value (ICV(C1)) produced on the basis of the content C1is also stored thereon. In this situation, if data {EKB, content 2} iscopied from the medium 1 to the medium 2, a new integrity check valueICV(CL, C2) is produced by the medium 2, and it turns out that the newintegrity check value is different from the integrity check valueKicv(C1) stored on the medium 2. Thus, it turns out that the content hasbeen tampered with or a new content has been copied in an unauthorizedmanner. When a device plays back a medium, if, before starting playback,the device checks the ICV to determine whether the generated ICV and theoriginal ICV stored on the medium are identical to each other, and ifplayback is not performed when two values are not identical to eachother, it is possible to prevent an unauthorized copy of content frombeing played back.

To further enhance the security, the integrity check value (ICV) ofcontent may be rewritten into a value produced on the basis of dataincluding a counter value such that ICV=hash(Kicv, counter+1, C1, C2, .. . ), where the counter value (counter+1) is incremented by 1 each timethe ICV is rewritten. It is required that the counter value be stored ina secure memory.

In a case where an integrity check value (ICV) of content cannot bestored on the same medium as that on which the content is stored, theintegrity check value (ICV) of the content may be stored on a mediumdifferently from the content.

For example, when content is stored on a read-only medium or a usual MOthat does not have a copy protection capability, if an integrity checkvalue (ICV) is stored on the same medium, the ICV can be rewritten by anunauthorized user, the security of the ICV cannot be achieved. In such acase, the ICV is stored on a secure medium on a host machine, andcontent copy control (such as check-in/check-out, move) is performedusing the ICV, thereby ensuring that the ICV is securely managed andmaking it possible to check whether the content has been tampered with.

FIG. 22 shows a specific example of the process for the above purpose.In this example shown in FIG. 22, contents are stored on a medium 2201,such as a read-only medium or a usual MO, which does not have a copyprotection capability, and an integrity check value (ICV) associatedwith these contents is stored on a secure medium 2202 on a host machinewhich is not allowed to be accessed by a user, thereby preventing theintegrity check value (ICV) from being rewritten in an unauthorizedmanner. If, before a device starts playback of the medium 2201 mountedthereon, a PC or a server serving as the host machine checks the ICV todetermine whether playback should be allowed, it is possible to preventan unauthorized copy of content or tampered content from being playedback.

Categorization of a Hierarchical Tree Structure

In the above examples, encryption keys are produced into the form of ahierarchical tree structure, such as that shown in FIG. 3, including aroot key, node keys, and leaf keys, and data such as a content key, anauthentication key, an ICV generation key, or a program code isencrypted and transmitted together with an enabling key block (EKB). Thehierarchical tree structure that defines the node keys or the like maybe categorized according to the types of devices, and renewal of keys,transmission of encryption keys, and transmission of data may beperformed in a more efficient manner as described below.

FIG. 23 shows an example of categorization of the hierarchical treestructure. In this example shown in FIG. 23, a root key Kroot 2301 isdisposed at the top of the hierarchical tree structure, node keys 2302are disposed in middle levels, and leaf keys 2303 are disposed at thebottom. Each device has a set of keys including a leaf key 2303 of thedevice itself, the root key 2301, and node keys 2302 existing in thepath from the leaf key 2303 to the root key 2301.

By way of example, it is assumed herein that nodes in an Mth level ascounted from the top are defined as category nodes 2304. That is, thenodes in the Mth level are employed to define specific categories ofdevices. One node at the Mth level is employed as a top node, and nodesand leaves that exist at the (M+1)th level and lower levels in pathsoriginating from that top node are defined to be included in thecategory assigned to the top node.

For example, one node 2305 in the Mth level in FIG. 23 is employed todefine a category of memory media sold under the trademark MEMORY STICK,and nodes and leaves existing in paths originating from this node aredefined to correspond to various devices using a memory stick belongingto the category of “memory sticks”. That is, a set of nodes includingthe node 2305 and associated lower-level nodes and leaves is defined tobelong to the category of memory sticks.

Furthermore, a level that is lower than the Mth level by a proper numberof levels may be employed as sub-category nodes 2306. For example, asshown in FIG. 23, a node that exists in a path originating from thecategory node 2305 of “memory sticks” and that is located twolevels-lower than the category node 2305 is employed as a sub-categorynode of “playback devices” included in the category of devices usingmemory sticks. Similarly, a node 2307 below the sub-category node 2306of playback devices is employed as a sub-category node of “telephoneshaving a music playback capability” included in the category of playbackdevices. At a further lower level, a sub-category node 2308 of “PHS” anda sub-category node 2309 of “portable telephone” are defined such thatboth sub-categories belong to the category of telephones having musicplayback capability.

The categories and subcategories can be defined according to not onlythe types of devices but also manufactures, content providers, orclearance institutions, and those node may be respectively managed bythem. That is, the categories and subcategories may be defined so as tohave arbitrary scopes in accordance with, for example, processing,management organizations, or services provided (hereinafter, units inthe categories or sub-categories are generically referred to asentities). For example, if one category node is set as a top node fordedicated use of a game machine XYZ provided by a game machinemanufacturer, it becomes possible to sell game machines XYZ in whichnode keys and leaf keys below the top node are stored. After selling thegame machines XYZ, encrypted contents or keys may be supplied or keysmay be renewed by supplying an enabling key block (EKB) including thetop node key and node keys and leaf keys below the top node so that onlydevices below the top node can use the supplied data.

As described above, when one node is given as a top node, lower-levelnodes arising from the top node are defined as belonging to a categoryor a sub-category assigned to that top node, thereby making it possiblefor a manufacturer or a content provider that manages one top node ofone category or sub-category to produce an enabling key block (EKB)including that top node without having to taking into account the othercategories or sub-categories and distribute the resultant enabling keyblock (EKB) to devices corresponding to the top node or the lower-levelnodes arising from the top nodes, and thus making it possible to renew akey without exerting any influence on devices belonging to the othercategories that do not belong to that top node.

Distribution of a Key Using a Simplified EKB (1)

In the tree structure described earlier with reference to FIG. 3, when akey such as a content key is sent to a specific device (leaf), anenabling key block (EKB) is produced such that it can be decrypted by aleaf key 2303 or a node key 2302 held by the device to which the key isto be sent, and the resultant enabling key block (EKB) is provided tothe device. For example, in the tree structure shown in FIG. 24( a),when a key such as a content key is transmitted to devices a, g, and jat corresponding leaves, an enabling key block (EKB) that can bedecrypted by those nodes a, g, and j are produced and transmittedthereto.

More specifically, when a content key K(t)con is encrypted using arenewed root key K(t)root and transmitted together with an EKB, thedevices a, g, and j can acquire K(t)root by processing the EKB using theleaf key 2303 and the node keys 2302 shown in FIG. 24( b), and furthercan acquire the content key K(t)con by performing decryption using theacquired renewed root key K(t)root.

FIG. 25 shows the enabling key block (EKB) that is transmitted in thisspecific case. The enabling key block (EKB) shown in FIG. 25 is producedin accordance with the EKB format described earlier in accordance withFIG. 6, and thus the EKB includes data (encrypted keys) and tagscorresponding to the data. As described earlier with reference to FIG.7, left (L) and right (R) components of each tag have a value of 0 or 1depending on whether data exits in L or R directions.

If a device receives the enabling key block (EKB), the devicesequentially decrypts the encrypted keys included in the enabling keyblock (EKB) on the basis of the tags thereby sequentially acquiringrenewed keys from a level to a higher level. As shown in FIG. 25, thedata size of the enabling key block (EKB) increases with the number oflevels between the root and the leaves (the number of levels is referredto as the depth). The depth (number of levels) increases with the numberof devices (leaves), and thus the data size of the EKB becomes greatwhen keys are transmitted to a great number of devices.

A technique of reducing the data size of the enabling key block (EKB) isdescribed below. FIG. 26 shows an example of an enabling key block (EKB)simplified depending on the devices to which keys are transmitted.

As in the example shown in FIG. 25, it is also assumed that a key suchas a content key is transmitted to devices a, g, and j at correspondingleaves. As shown in FIG. 26( a), a tree structure is produced such thatit includes only those devices to which the key is to be transmitted. Inthis case, the tree structure shown in FIG. 26( b) is produced on thebasis of the tree structure shown in FIG. 24( b). In a path from Krootto Kj, there is no path branching from the path from Kroot to Kj, andthus this path can be represented by only one branch. On the other hand,to reach Ka or Kg from Kroot, it is needed to branch at K0 to Ka or Kg.Thus, the tree can be formed so as to have two branches as shown in FIG.26( a).

As shown in FIG. 26( a), the resultant tree has a simplified formincluding only one node K0. The enabling key block (EKB) used todistribute renewed keys is produced on the basis of this simplifiedtree. The tree shown in FIG. 26( a) can be produced by reconstructingthe original tree such that a binary tree is first produced such that itincludes only paths to endpoint nodes or leaves that are allowed todecrypt the enabling key block (EKB) and then unnecessary nodes areremoved from the tree. The enabling key block (EKB) used to distributerenewed keys is produced on the basis of only keys corresponding to thenodes or leaves included in this reconstructed hierarchical tree.

The enabling key block (EKB) described above with reference to FIG. 25includes all encrypted keys existing in paths from respective leaves a,g, and j to Kroot. In contrast, the simplified EKB includes onlyencrypted keys at nodes included in the simplified tree. As shown inFIG. 26( b), each tag is represented by 3 bits. The second and thirdbits are used in the same manner as in the example shown in FIG. 25.That is, the second bit has a value of 0 or 1 depending on whether thereis data in the L (left) direction, and the third bit has a value of 0 or1 depending on whether there is data in the R (right) direction. Thefirst bit is used to indicate whether the EKB includes an encrypted keyat the node corresponding to the tag. When an encrypted key is included,the first bit is set to 1, while it is set to 0 if no encrypted key isincluded.

The data size of the enabling key block (EKB), which is provided todevices (leaves) via a data communication network or provided bysupplying a storage medium on which the EKB is stored, can be greatlyreduced by employing the structure shown in FIG. 26( b) compared withthe structure shown in FIG. 25. When each device receives the enablingkey block (EKB) shown in FIG. 26, the device sequentially decrypts onlythe data at locations where the first bit of the corresponding tags is1, thereby obtaining all necessary decrypted keys. More specifically,the device a decrypts encrypted data Enc(Ka, K(t)0) using a leaf key Kathereby acquiring a node key K(t)0, and decrypts encrypted dataEnc(K(t)0, K(t)root) using the node key K(t)0 thereby acquiringK(t)root. On the other hand, the device j decrypts encrypted dataEnc(Kj, K(t)root) using a leaf key Kj thereby acquiring K(t)root.

As descried above, if a new simplified tree structure including onlydevices to which data is to be transmitted is produced, and if anenabling key block (EKB) is produced using only leaf keys and node keysincluded in the simplified tree, the resultant enabling key block (EKB)becomes small in data size, and thus it becomes possible to transmit theenabling key block (EKB) in an efficient manner.

Distribution of a Key Using a Simplified EKB (2)

A technique of further simplifying the enabling key block (EKB) producedon the basis of the simplified tree shown in FIG. 26, thereby furtherreducing the data size and thus making it possible to perform processingin an efficient manner.

In the example described above with reference to FIG. 26, the tree isproduced by reconstructing the original tree such that a binary tree isfirst produced such that it includes only paths to endpoint nodes orleaves that are allowed to decrypt the enabling key block (EKB) and thenunnecessary nodes are removed from the tree. The enabling key block(EKB) used to distribute renewed keys is produced on the basis of onlykeys corresponding to the nodes or leaves included in this reconstructedhierarchical tree.

On the basis of the reconstructed hierarchical tree shown in FIG. 26(a), an enabling key block (EKB) is produced as shown in FIG. 26( b) sothat leaves a, g, and j can acquire renewed root key K(t)root, and theresultant enabling key block (EKB) is transmitted. Via the processing ofthe enabling key block (EKB) shown in FIG. 26( b), the leaf j canacquire the root key K(t)root by performing only one decryption processin which Enc(Kj, K(t)root) is decrypted. However, the leaves a and ghave to first decrypt Enc(Ka, K(t)0) or Enc(Kg, K(t)0) to acquire K(t)0and then decrypt Enc(K(t)0, K(t)root) to the root key K(t)root. That is,leaves a and g have to perform a two-step process for decryption.

In a case where the node K0 functions as a subroot node that manageslower-level leaves a and g, the hierarchical tree reconstructed into thesimplified form as shown in FIG. 26 may be useful to confirm that leavesa and b have acquired renewed keys. However, if the node K0 does notmange the lower-level leaves, or if, although the node K0 manages thelower-level leaves, providing of a renewed key from a higher-level nodeis allowed, then the reconstructed hierarchical tree shown in FIG. 26(a) may be further simplified by removing the node K0, and an enablingkey block (EKB) may be produced on the basis of this further simplifiedtree.

An example of such an enabling key block (EKB) is shown in FIG. 27. Asin the example shown in FIG. 26, it is also assumed that a key such as acontent key is transmitted to devices a, g, and j at correspondingleaves. As shown in FIG. 27( a), a tree is produced such that the rootKroot is directly connected to the respective leaves a, g, and j.

Thus, as shown in FIG. 27( a), the resultant tree has a structure thatcan be obtained by removing the node K0 from the reconstructedhierarchical tree shown in FIG. 26( a). The enabling key block (EKB)used to distribute renewed keys is produced on the basis of thissimplified tree. The tree shown in FIG. 27( a) is a hierarchical treereconstructed so as to include only paths that directly connect the rootand leaves that are allowed to decrypt the enabling key block (EKB). Theenabling key block (EKB) used to distribute renewed keys is produced onthe basis of only keys corresponding to the leaves included in thisreconstructed hierarchical tree.

In the specific example shown in FIG. 27( a), the endpoint nodes areused as leaves. Also in a case where the highest-level node distributekeys to middle-level and lower-level nodes, the tree may be simplifiedby directly connecting the highest-node to a middle-level or lower-levelnode, an enabling key block (EKB) may be produced on the basis of thesimplified tree, and keys may be transmitted using the resultantenabling key block (EKB). As described above, the reconstructedhierarchical tree has a tree structure in which the top node thereof isdirectly connected to endpoint nodes or leaves. In this simplified tree,the number of paths branching from the top node is not limited to two,but the top node may have three or more branching paths depending on thenumber of distribution nodes or leaves.

The enabling key block (EKB) described above with reference to FIG. 25includes encrypted data corresponding to all keys in paths from therespective leaves a, g, and j to Kroot. In the example shown in FIG. 26,the enabling key block (EKB) includes the leaf keys assigned to theleaves a, g, and j, the node K0 shared by a and g, and the root key. Incontrast, in the enabling key block (EKB) on the basis of the simplifiedhierarchical tree shown in FIG. 27( a), the key at the node K0 isremoved, and thus, as shown in FIG. 27( b), it has a further reduceddata size.

The enabling key block (EKB) shown in FIG. 27( b), as in the enablingkey block (EKB) shown in FIG. 26( b), includes 3-bit tags. The secondand third bits are used in the same manner as in the example shown inFIG. 26. That is, the second bit has a value of 0 or 1 depending onwhether there is data in the L (left) direction, and the third bit has avalue of 0 or 1 depending on whether there is data in the R (right)direction. The first bit is used to indicate whether the EKB includes anencrypted key at the node corresponding to the tag. When an encryptedkey is included, the first bit is set to 1, while it is set to 0 if noencrypted key is included.

Using the enabling key block (EKB) shown in FIG. 27( b), the respectiveleaves a, g, and j can acquire the root key K(t)root by performing onlyone process of decrypting Enc(Ka, K(t)root), Enc(Kg, K(t)root) orEnc(Kj, K(t)root).

An enabling key block (EKB) on the basis of a tree reconstructed into asimplified form including a top node and endpoint nodes or leavesdirectly connected to the top node is produced on the basis of onlythose keys corresponding to the top node and the endpoint nodes orleaves of the reconstructed tree, as shown in FIG. 27( b).

By building a new simplified tree structure including only devices towhich an enabling key block (EKB) is to be supplied and by producing theenabling key block (EKB) using only keys included in the resultantsimplified tree or keys shared by leaves, as is the case with theenabling key blocks (EKB) described above with reference to FIG. 26 or27, the resultant enabling key block (EKB) becomes small in data size,and thus it becomes possible to transmit the enabling key block (EKB) inan efficient manner.

The simplified hierarchical tree structure is useful in particular whenEKB's are managed on the basis of category tress, wherein the categorytree is one type of subtree as will be described below. The categorytree is a set of nodes or leaves selected from nodes or leaves of anoriginal key distribution tree. A category tree may be formed in variousaspects. For example, a category tree may be a set of nodes or leavesthat are combined together in accordance with the device type, thedevice supplier, the content provider, or the clearance institution, orin accordance with a common feature in terms of process, management, orservices provided. Devices classified into one category are assigned toone category tree. For example, if constructing a simplified treeincluding top nodes (subroots) of a plurality of category trees in asimilar manner as described above, and if an EKB is produced on thebasis of the constructed tree, then the resultant simplified enablingkey block (EKB) can be decrypted only by devices belonging to any one ofthe selected category trees. The management on the basis of the categorytrees will be described in detail later.

The enabling key block (EKB) may be stored on an information storagemedium such as an optical disk or a DVD. For example, an enabling keyblock (EKB) including a data part including encrypted key data and a tagpart including location identification data identifying the locations ofthe encrypted key data in a hierarchical tree structure may be storedtogether with message data such as content data encrypted using arenewed node key on an information storage medium, and the resultantinformation storage medium may be provided to devices. Each device cansequentially extract encrypted key data included in the enabling keyblock (EKB) in accordance with the identification data in the tag field,and can decrypt the extracted encrypted key data thereby acquiring a keyneeded to decrypt content and thus using the content. Of course, theenabling key block (EKB) may be transmitted via a network such as theInternet.

Management of EKB on a Category Tree Basis

A manner of managing nodes or leaves in a tree structure for use in keydistribution in accordance with a block or a set of nodes or leaves isdescribed below. Herein, a block, which is a set of nodes or leaves, isreferred to as a category tree. A category tree may be formed in variousaspects. For example, a category tree may be a set of nodes or leavesthat are combined together in accordance with the device type, thedevice supplier, the content provider, or the clearance institution, orin accordance with a common feature in terms of process, management, orservices provided.

The category tree may be described in further detail with reference toFIG. 28. FIG. 28( a) shows a manner of managing a tree structure inunits of category trees. In FIG. 28( a), each category tree isrepresented by one triangle. Each category tree, for example, thatdenoted by reference numeral 2701, includes a plurality of nodes. FIG.28( b) shows a node structure in one category tree. Each category treeis constructed in the form of a binary tree including one top node and aplurality of nodes at lower levels. Herein, a top node, such as thatdenoted by reference numeral 2702, of each category tree is referred toas a sub-root.

As shown in FIG. 28( c), there are leaves, that is, devices, at lowerends of the tree. Any device belongs to one of category trees eachincluding one top node 2702 serving as a sub-root and a plurality ofleaves corresponding to devices.

As can be seen from FIG. 28( a), category trees have a hierarchicalstructure, as described below with reference to FIG. 29.

FIG. 29( a) illustrates an example of the hieratical structure in asimplified fashion. In this specific example, the hierarchical categorytree structure includes category trees A01 to Ann at a certain levelbelow Kroot. At a level just below the category trees A01 to Ann,category trees B01 to Bnk are disposed. At a next lower level, categorytrees C1 to Cnq are disposed. As shown in FIGS. 29( b) and (c), eachcategory tree has a tree structure in which nodes and leaves aredisposed at a plurality of levels.

For example, the category tree Bnk has a tree structure including, asshown in FIG. 28( b), a top node 2811 serving as a sub-root, endpointnodes 2812, and other nodes located between the top node 2811 and theendpoint nodes 2812. The category tree is assigned an identifier Bnk andmanages the nodes within the category tree Bnk independently for thecategory tree Bnk, thereby managing lower-level category trees each ofwhich includes, as its top node, one of endpoint nodes 2812. On theother hand, the category tree Bnk is managed by a higher-level (parent)category tree Ann one of endpoint nodes 2811 of which is included, asthe sub-root 2811, in the category tree Bnk.

As shown in FIG. 28( c), a category tree Cn3 has a tree structureincluding a top node 2851 serving as a sub-root, endpoint nodes 2852corresponding to respective devices that are leaves in this case, andother nodes between the top node 2851 and the endpoint nodes 2852. Thiscategory tree is assigned an identifier Cn3 and manages the nodes andleaves within the category tree Cn3 independently for the category treeCn3, thereby managing leaves (devices) at the endpoint nodes 2852. Onthe other hand, the category tree Cn3 is managed by a higher-level(parent) category tree Bn2, one of endpoint nodes of which is included,as the sub-root 2851, in the category tree Cn3. Herein, the keymanagement of each category tree refers to, for example, renewal of akey, revoking, or the like, as will be described in detail later.

In each device corresponding to a leaf in a category tree at the bottom,a leaf key of the category tree, to which that device belongs, and nodekeys at respective nodes existing in a path from the leaf to the topnode serving as the sub-root node of that category tree are stored. Forexample, for a device at an endpoint node 2852, keys corresponding tonodes in a path from the endpoint node (leaf) 2852 to the sub-root node2851 are stored.

The structure of the category tree is further described with referenceto FIG. 30. Each category tree can have a tree structure including avarious levels. The depth (number of levels) may be set depending on thenumber of lower-level (child) category trees each corresponding toendpoint nodes of that category tree or depending on the number ofdevices to leaves.

A category tree structure shown in FIG. 30( a) may be embodied as shownin FIG. 30( b). Herein, a root tree is a tree located at the top and theroot tree has a root key. A plurality of lower-level category trees A,B, and C are disposed at respective endpoint nodes of the root tree. Afurther-lower level category tree D is disposed below the category treeC. In the category tree C (2901), one or more endpoint nodes arereserved as reserved nodes 2950 so that another lower-level categorytree can be added in the future by using the reserved node 2950. Forexample, a category tree C′ (2902) having a multilevel tree structuremay be added by assigning the reserved node 2950 as the top node of thenew category tree.

The reserved nodes are described in further detail below with referenceto FIG. 31. A category tree A (3011) has lower-level category trees B,C, D, and so on managed by the category tree A (3011), and also has onereserved node 3021. For example, the number of lower-level categorytrees may be increased in such a manner that the reserved node 3021 isassigned to a lower-level category A′ (3012), and further lower-levelcategory trees F and G may be connected to endpoint nodes of thelower-level category tree A′ (3012). The lower-level category tree A′(3012) may reserve at least one endpoint node 3022 so that anotherlower-level category tree A″ (3013) may be added. The lower-levelcategory tree A″ (3013) may reserve one or more endpoint nodes 3023. Byreserving endpoint nodes in the above-described manner, it becomespossible to increase the number of lower-level category trees managed bya certain category tree without limitation. The number of reservedcategory trees is not limited to one, but a plurality of endpoints maybe reserved.

Each category tree may produce an enabling key block (EKB) independentlyof the other category trees, and key renewal and revocation may beperformed independently of the other category trees. As shown in FIG.31, enabling key blocks (EKB's) are assigned to respective categorytrees A, A′, and A″. These enabling key blocks (EKB's) may be managedby, for example, a device manufacturer that manages the category treesA, A′, and A″.

Registration of a New Category Tree

Registration of a new category tree is described below. FIG. 32 shows aregistration processing sequence. In the sequence shown in FIG. 32, anew (child) category tree (N-En) to be added to the tree structureissues a new registration request to an upper-level (parent) categorytree (P-En). Each category tree has its own public key according to thepublic key cryptography scheme. When the new category tree issues theregistration request, it transmits its public key to the upper-levelcategory tree (P-En).

Upon receiving the registration request, the upper-level category tree(P-En) transfers the received public key of the new (child) categorytree (N-En) to a certificate authority (CA) to receive a public key ofthe new (child) category tree having a signature of the CA. The aboveprocedure is performed in mutual authentication between the upper-levelcategory tree (P-En) and the new (child) category tree (N-En).

If the authentication of the category tree requesting new registrationis completed via the above process, the upper-level category tree (P-En)gives permission of the registration of the new (child) category tree(N-En) and transmits a node key assigned to the new (child) categorytree to the new (child) category tree (N-En). This node key correspondsto one of the endpoint nodes of the upper-level category tree (P-En),and also corresponds to the top node or a sub-root key of the new(child) category tree (N-En).

After the completion of the transmission of the node key, the new(child) category tree (N-En) builds a tree structure of the new (child)category tree (N-En) and sets the received sub-root key at the top nodeof the tree structure. Furthermore, keys are set at the respective nodesand leaves, and an enabling key block (EKB) associated with the categorytree is produced. An enabling key block (EKB) associated with a categorytree is referred to as a sub-EKB.

On the other hand, the upper-level category tree (P-En) produces asub-EKB associated with the upper-level category tree (P-En) such thatan endpoint node, which was made active when the new (child) categorytree was connected thereto, is reflected in the sub-EKB.

After the new (child) category tree (N-En) produces the sub-EKBincluding the node keys and leaf keys within the new (child) categorytree (N-En), the new (child) category tree (N-En) transmits theresultant sub-EKB to the upper-level category tree (P-En).

Upon receiving the sub-EKB from the new (child) category tree (N-En),the upper-level category tree (P-En) transmits the received sub-EKBtogether with the renewed sub-EKB of the upper-level category tree(P-En) to a key distribution center (KDC).

On the basis of sub-EKB's of all category trees, the key distributioncenter (KDC) can produce an EKB in various manners. For example, the EKBcan be produced such that only a specified category tree or a specifieddevice can decrypt the EKB. If the EKB produced so as to be allowed tobe decrypted by a specified category tree or device is provided to, forexample, a content provider, and if the content provider encrypts acontent key on the basis of the received EKB and supplies the encryptedcontent key via a network or supplies a storage medium on which theencrypted key is stored, it becomes possible to provide content suchthat the content can be used only by the specified device.

The manner of registration of a sub-EKB of a new category tree at a keydistribution center (KDC) is not limited to sequentially transferringthe sub-EKB via an upper-level category tree, but registration may alsobe possible by directly transmitting the sub-EKB from the new categorytree to the key distribution center (KDC) without passing it via theupper-level category tree.

The correspondence between an upper-level category tree and alower-level category tree that is newly added to the upper-levelcategory tree is described below with reference to FIG. 33. Byproviding, as a top node of the new category tree to be added, oneendpoint node 3201 of the upper-level category tree to the lower-levelcategory tree, the lower-level category tree can be added as one of thecategory trees that are managed by the upper-level category tree. Aswill be described in detail later, category trees managed by theupper-level category tree refer to those category trees that can berevoked by the upper-level category tree.

As shown in FIG. 33, if a new category tree B01 is added to anupper-level category tree A01, the same node acts as one endpoint nodeor leaf 3201 of the upper-level category tree and also as the top node3202 of the newly added category tree. That is, one endpoint nodeserving as one leaf of the upper-level node 3201 is set to be thesub-root 3202 of the newly added category tree B01. By performing thesetting in the above-described manner, the newly added category tree B01becomes one of active category trees constituting the total treestructure.

FIG. 34 shows an example of a renewed EKB that is produced by anupper-level category tree when a new category tree is added. That is,FIG. 34 shows an example of a sub-EKB that is produced by theupper-level category tree when, in a situation in which the upper-levelcategory tree has a tree structure including, as shown in FIG. 34( a),an active endpoint node (node 000) 3301 and an active endpoint node(node 001) 3302, an endpoint node (node 100) 3303 thereof is provided tothe new category tree.

The sub-EKB has a format shown in FIG. 34( b). That is, the sub-EKB is alist of a high-level node key encrypted using an active endpoint nodekey, a higher-level node key encrypted using the upper-level node key, .. . , and finally a sub-root key. The sub-EKB is produced according tothis format. Each category tree has its own EKB in the form of encrypteddata including, as with the sub-EKB shown in FIG. 34( b), a high-levelnode key encrypted using an active endpoint node key or leaf key, ahigher-level node key encrypted using the high-level node key, . . . ,and finally a sub-root key. The EKB of each category tree is managed bythat category tree itself.

Revocation Under the Management of a Category Tree

Revocation of a device or a category tree performed in a situation inwhich the key distribution tree is managed on a category tree bycategory tree basis is described below. In the examples shown in FIGS. 3and 4, an enabling key block (EKB) is produced such that the resultantenabling key block (EKB) can be decrypted only specified devices in thetree structure but a revoked device cannot decrypt the resultantenabling key block (EKB). In the examples shown in FIGS. 3 and 4,revocation is performed for a device assigned to a specific leaf in thetree structure. In a case where management is performed on a categorytree basis, revocation can be performed on a specific category tree.

Referring to FIG. 35 and following figures, a revocation processperformed in a situation in which management is performed on a categorytree basis is described below. FIG. 35 shows a process of revoking acategory tree at the lowest level in the tree structure including aplurality of category trees. In this case, devices belonging to therevoked category tree are all revoked.

FIG. 35( a) shows a key distribution tree structure managed on the basisof category trees. In this specific example, a root node is disposed atthe top of the tree, and category trees A01 to Ann are disposed at acertain level below the root node. Category trees B01 to Bnk aredisposed at a lower level, and category trees C1 to Cn are disposed at afurther lower level. Category trees at the lowest level have endpointnodes (leaves) assigned to respective devices such as arecording/playing-back apparatus and a playback apparatus.

Revocation is performed individually by the respective category trees.For example, the category trees C1 to Cn at the lowest level can revokea device at a leaf. FIG. 35( b) shows a tree structure of a categorytree Cn (3430) that is one of the category trees at the lowest level.The category tree Cn (3430) has a top node 3431, and a plurality ofdevices are assigned to respective leaves at the endpoint nodes.

When, for example, a device 3432 assigned to a leaf at a certainendpoint node should be revoked, the category tree Cn (3430) renews thecategory tree Cn itself and produces an enabling key block (sub-EKB)consisting of node keys and leaf keys included in the renewed categorytree Cn. This enabling key block cannot be encrypted by the revokeddevice 3432 but can be encrypted only by devices assigned to the otherleaves. A manager of the category tree Cn produces such an enabling keyblock as a renewed sub-EKB. More specifically, node keys at nodes 3431,3434, and 3435 in a path from the sub-root to the device 3432 to berevoked are renewed. A renewed sub-EKB is produced into the form ofencrypted key data such that the renewed node keys are reflected in therenewed sub-EKB, thereby ensuring that the renewed sub-EKB can bedecrypted only by leaf devices other than the revoked device 3432. Thisrevocation process is equivalent to the revocation process describedabove with reference to FIGS. 3 and 4, if the root key is replaced withthe sub-root key that is a top node key of the category tree.

The enabling key block (sub-EKB) renewed via the revocation processperformed by the category tree Cn (3430) is transmitted to ahigher-level category tree. In this specific example, the high-levelcategory tree is a category tree Bnk (3420), which includes, as one ofendpoint nodes, the top node 3431 of the category tree Cn (3430).

If the category tree Bnk (3420) receives the enabling key block(sub-EKB) from the lower-level category tree Cn (3430), the categorytree Bnk (3420) replaces the key assigned to the endpoint node 3431 ofthe category tree Bnk (3420) corresponding to the top node 3431 of thecategory tree Cnk (3430) with the renewed key included in the enablingkey block received from the lower-level category tree Cn (3430), and thecategory tree Bnk (3420) renews its own sub-EKB. FIG. 35( c) shows thetree structure of the category tree Bnk (3420). In the category tree Bnk(3420) shown in FIG. 35( c), it is needed to renew node keys in a pathfrom the sub-root 3421 to the endpoint node 3431 connected to thecategory tree including the device to be revoked. More specifically, itis needed to renew node keys assigned to nodes 3421, 3424, and 3425 inthe path connected to the node 3431 of the category tree that hastransmitted the renewed sub-EKB. After renewing the node keyscorresponding to these nodes, the category tree Bnk (3420) produces itsrenewed sub-EKB so as to reflect the renewed node keys.

The renewed enabling key block (sub-EKB) produced by the category treeBnk (3420) is transmitted to a further higher-level category tree. Inthis specific example, the further higher-level category tree is acategory tree Ann (3410), which includes, as one of endpoint nodes, thetop node 3421 of the category tree Bnk (3420).

If the category tree Ann (3410) receives the enabling key block(sub-EKB) from the lower-level category tree Bnk (3420), the categorytree Ann (3410) replaces the key assigned to the endpoint node 3421 ofthe category tree Ann (3410) corresponding to the top node 3421 of thecategory tree Bnk (3420) with the renewed key included in the enablingkey block received from the lower-level category tree Bnk (3420), andthe category tree Ann (3410) renews its own sub-EKB. FIG. 35( d) showsthe tree structure of the category tree Ann (3410). In the category treeAnn (3410) shown in FIG. 35( d), it is needed to renew node keysassigned to nodes 3411, 3414, and 3415 in a path from the sub-root 3411to the endpoint node 3421 connected to the category tree that hastransmitted the renewed sub-EKB. After renewing the node keyscorresponding to these nodes, the category tree Ann (3410) produces itsrenewed sub-EKB so as to reflect the renewed node keys.

The above-described process is performed for further higher-levelcategory trees until the root category tree shown in FIG. 30( b) hasbeen renewed. Via the sequence of processes described above, revocationof the device is completed. The renewed sub-EKB's produced by therespective category trees are finally transmitted to the keydistribution center (KDC) and stored therein. The key distributioncenter (KDC) produces various EKB's on the basis of all renewedsub-EKB's. Each renewed EKB has a form of an encrypted key block thatcannot be decrypted by the revoked device.

The sequence of device revocation processes is shown in FIG. 36. In thesequence shown in FIG. 36, a device management category tree (D-En) atthe bottom of the tree structure performs key renewal needed to revoke aleaf from the device management category tree (D-En) and produces arenewed sub-EKB(D) of the device management category tree (D-En). Therenewed sub-EKB(D) is transmitted to a higher-level category tree. Uponreceiving the renewed sub-EKB(D), the higher-level (parent) categorytree (P1-En) renews the node key assigned to the endpoint nodecorresponding to the top node of the renewed sub-EKB(D) and also nodekeys assigned to nodes in the path from that endpoint node to thesub-root, and then produces a renewed sub-EKB(P1) so as to reflect therenewed node keys. The above-described process is performed for furtherhigher-level category trees, and all renewed sub-EKB's that are finallyobtained are stored in the key distribution center (KDC) and managedthereby.

FIG. 37 shows an example of a renewed enabling key block (EKB) producedby a higher-level category tree in a device revocation process.

In the specific example shown in FIG. 37, in response to receiving arenewed sub-EKB from a lower-level category tree shown in FIG. 37( a)including a device to be revoked, a higher-level category tree producesa renewed EKB. The top node of the lower-level category tree includingthe device to be revoked corresponds to an endpoint node (node 100) 3601of the higher-level category tree.

The higher-level category tree renews node keys at nodes in the pathfrom the sub-root of the higher-level category tree to the endpoint node(node 100) 3601 and produces a renewed sub-EKB so as to reflect therenewed node keys. The resultant renewed sub-EKB is shown in FIG. 37(b). In FIG. 37( b), the renewed keys are underlined and primed. Asdescribed above, the node keys in the path from the renewed endpointnode to the subroot are renewed, and the renewed sub-EKB of the categorytree is produced so as to reflect the renewal of the node keys. Now,revocation of a category tree is described below.

FIG. 38( a) shows an example of a key distribution tree structuremanaged on the basis of units of category trees. In this specificexample, a root node is disposed at the top of the tree, and categorytrees A01 to Ann are disposed at a certain level below the root node.Category trees B01 to Bnk are disposed at a lower level, and categorytrees C1 to Cn are disposed at a further lower level. Category trees atthe lowest level have endpoint nodes (leaves) assigned to respectivedevices such as a recording/playing-back apparatus and a playbackapparatus.

Herein, it is assumed that a category tree Cn (3730) should be revoked.The category tree Cn (3730) at the bottom includes a top node 3731 asshown in FIG. 38( b), and a plurality of devices are assigned torespective leaves at the endpoint nodes.

By revoking the category tree Cn (3730), it is possible to remove alldevices belonging to the category tree Cn (3730) from the tree structureat the same time. Revocation of the category tree Cn (3730) is performedby a category tree Bnk (3720) located next to, at a higher level, thecategory tree Cn (3730). The category tree Bnk (3720) includes, as oneof the endpoint nodes, the top node 3731 of the category tree Cn (3730).

In order to revoke the lower-level category tree Cn (3730), the categorytree Bnk (3720) renews an endpoint node 3731 of the category tree Bnk(3720) corresponding to the top node 3731 of the category tree Cnk(3730) and further renews node keys in the path from the category tree3730 to be revoked to the subroot of the category tree Bnk (3720). Thecategory tree Bnk (3720) then produces an enabling key block serving asa renewed sub-EKB. Herein, the node keys to be renewed are node keys inthe path from the subroot 3721 shown in FIG. 38( c) to an endpoint node3731 that is also the top node of the category tree to be revoked. Morespecifically, node keys assigned to nodes 3721, 3724, 3725, and 3731 arerenewed. After renewing the node keys corresponding to these nodes, thecategory tree Bnk (3720) produces its renewed sub-EKB so as to reflectthe renewed node keys.

Alternatively, when the category tree Bnk (3720) revokes the lower-levelcategory tree Cn (3730), the category tree Bnk (3720) may not renew itsendpoint node 3731 corresponding to the top node 3731 of the categorytree Cnk 3730, but the category tree Bnk (3720) may renew only the othernode keys in the path from the category tree 3730 to be revoked to thesubroot of the category tree Bnk 3720 and may produce an enabling keyblock serving as a renewed sub-EKB.

The renewed enabling key block (sub-EKB) produced by the category treeBnk (3720) is transmitted to a higher-level category tree. In thisspecific example, the further higher-level category tree is a categorytree Ann (3710), which includes, as one of endpoint nodes, the top node3721 of the category tree Bnk (3720).

If the category tree Ann (3710) receives the enabling key block(sub-EKB) from the lower-level category tree Bnk (3720), the categorytree Ann (3710) replaces the key assigned to the endpoint node 3721 ofthe category tree Ann (3710) corresponding to the top node 3721 of thecategory tree Bnk (3720) with the renewed key included in the enablingkey block received from the lower-level category tree Bnk (3720), andthe category tree Ann (3710) renews its own sub-EKB. FIG. 38( d) showsthe tree structure of the category tree Ann (3710). In the category treeAnn (3710) shown in FIG. 38( d), it is needed to renew node keysassigned to nodes 3711, 3714, and 3715 in a path from the sub-root 3711to the endpoint node 3721 connected to the category tree that hastransmitted the renewed sub-EKB. After renewing the node keyscorresponding to these nodes, the category tree Ann (3710) produces itsrenewed sub-EKB so as to reflect the renewed node keys.

The above-described process is performed for further higher-levelcategory trees until the root category tree shown in FIG. 30( b) hasbeen renewed. Via the sequence of processes described above, revocationof the category tree is completed. The renewed sub-EKB's produced by therespective category trees are finally transmitted to the keydistribution center (KDC) and stored therein. The key distributioncenter (KDC) produces various EKB's on the basis of all renewedsub-EKB's. Each renewed EKB has a form of an encrypted key block thatcannot be decrypted by any device belonging to the revoked categorytree.

The sequence of category tree revocation processes is shown in FIG. 39.In the sequence shown in FIG. 39, a category tree management categorytree (E-En), which wants to revoke some category tree, performs keyrenewal needed to isolate an endpoint node to be revoked from thecategory tree management category tree (E-En) and produces a renewedsub-EKB(E) of the category tree management category tree (E-En). Therenewed sub-EKB(E) is transmitted to a higher-level category tree. Uponreceiving the renewed sub-EKB(E), the higher-level (parent) categorytree (P1-En) renews the node key assigned to the endpoint nodecorresponding to the renewed top node of the renewed sub-EKB(E) and alsonode keys assigned to nodes in the path from that endpoint node to thesub-root, and then produces a renewed sub-EKB(P1) so as to reflect therenewed node keys. The above-described process is performed for furtherhigher-level category trees, and all renewed sub-EKB's that are finallyobtained are stored in the key distribution center (KDC) and managedthereby. The key distribution center (KDC) produces various EKB's on thebasis of all renewed sub-EKB's. Each renewed EKB has a form of anencrypted key block that cannot be decrypted by any device belonging tothe revoked category tree.

FIG. 40 illustrates the correspondence between a revoked lower-levelcategory tree and a higher-level category tree that revoked thelower-level category tree. An endpoint node 3901 of the higher-levelcategory tree is renewed in response to revoking the category tree, andthen the node keys in the path from the endpoint node 3901 to thesubroot of the higher-level category tree are renewed. Furthermore, anew sub-EKB is produced such that the renewal of the node keys isreflected. As a result, the node key of the top node 3902 of the revokedlower-level category tree and the node key of the endpoint node 3901 ofthe higher-level category tree become different from each other. Becauseany EKB produced by the key distribution center (KDC) after therevocation of the category tree is based on the key of the endpoint node3901 renewed by the higher-level category tree, any device correspondingto a leaf of the lower-level category tree cannot have the renewed keyand thus cannot decrypt the EKB produced by the key distribution center(KDC).

Although in the example described above, a category tree at the bottomlevel that manages devices is revoked, a category tree that is locatedat a middle level and that manages a lower-level category tree may alsobe revoked by a category tree located next to, at a higher level, thecategory tree to be revoked in a similar manner as described above. Byrevoking an entity management category tree at a middle level, it ispossible to simultaneously revoke all lower-level category trees anddevices belonging directly or indirectly to the revoked category tree.

As described above, revocation of a category tree makes it possible toperform revocation more easily than in the case where revocation isperformed in units of devices.

Management of Capability of Category Tree

When keys are distributed on the basis of category trees, the capabilityof each entity may be managed and content may be distributed dependingin the capability as described below. Herein, the term capability isused to represent or define what kinds of contents or program a devicecan deal with. Examples of capabilities are a capability ofdecompressing audio data compressed according to a specific compressionscheme, a capability of audio reproduction according to a specificscheme, and a capability of dealing with a particular image processingprogram.

FIG. 41 shows an example of a category tree structure includingcapability definition information. A root node is disposed at the top ofthe key distribution tree structure, and a plurality of category treesin the form of a binary tree are disposed at lower levels. For example,a category tree 4001 is defined as having an audio playback capabilityaccording to any one of audio playback schemes A, B, and C. Morespecifically, for example, when music data compressed by an audiocompression program A, B, or C is distributed, any device belonging aslower-level category trees to the category tree 4001 can decompress thecompressed data.

Similarly, a category tree 4002 is defined as having audio playbackcapability according to one of audio playback schemes B and C, acategory tree 4003 is defined as having audio playback capabilityaccording to one of audio playback schemes A and B, a category tree 4004is defined as having audio playback capability according to the audioplayback scheme B, and a category tree 4005 is defined as having audioplayback capability according to the audio playback scheme A.

On the other hand, a category tree 4021 is defined as having a videoplayback capability according to any one of schemes p, q, and r, acategory tree 4022 is defined as having a video playback capabilityaccording to any one of schemes p and q, and a category tree 4023 isdefined as having a video playback capability according to the scheme p.

The capability information of respective category trees is managed bythe key distribution center (KDC). For example, when a certain contentprovider wants to distribute music data compressed by a specificcompression program to various devices, the key distribution center(KDC) produces an enabling key block (EKB) that can be decrypted only bydevices capable of playing back music data compressed by that specificcompression program, on the basis of the capability information of therespective category trees. The content provider encrypts a content keyusing the enabling key block (EKB) produced in accordance with thecapability information and distributes the resultant encrypted contentkey. The content provider also provides compressed music data encryptedusing the content key to devices. This makes it possible to securelyprovide a specific processing program only to devices capable ofprocessing the data.

In the example shown in FIG. 41, capability information is defined forall category trees. However, it is not necessary to define capabilityinformation for all category trees. For example, as shown in FIG. 42,capability information is defined only for lowest-level category treesdirectly related to devices, and capability information of devicesbelonging to the lowest-level category trees is managed by the keydistribution center (KDC). In this case, in response to a request from acontent provider, the key distribution center (KDC) produces an enablingkey block (EKB) that can be decrypted only by devices having acapability specified by the content provider, on the basis of thecapability information defined for the lowest-level category trees. Inthe example shown in FIG. 42, capabilities are defined for categorytrees 4101 to 4105 whose endpoint nodes are related to devices, and thecapabilities of respective category trees are managed by the keydistribution center (KDC). For example, devices having an audio playbackcapability according to the scheme B and having a video playbackcapability according to the scheme r are related to the category tree4101, devices having an audio playback capability according to thescheme A and having a video playback capability according to the schemeq are related to the category tree 4102.

FIG. 43 shows an example of a capability management table managed by thekey distribution center (KDC). FIG. 43( a) shows the data format of thecapability management table. A category tree ID is an identifier thatidentifies a category tree. A capability list indicates capabilitiesdefined for a category tree indicated by a category tree ID. As shown inFIG. 43( b), the capability list consists of a plurality of bits eachindicating whether various capabilities are available or not. Forexample, if the audio data playback capability according to scheme (A)is available, the corresponding bit is set to “1”, but the bit is set to“0” if the capability is not available. Similarly, for the audio dataplayback capability according to scheme (B), the corresponding bit isset to “1” if the capability is available, but the bit is set to “0” ifthe capability is not available. Note that the method of setting thecapability information is not limited to that described above, butanother method may also be employed as long as the method can indicatethe capabilities of the devices managed by the category trees.

The capability management table further includes data representing thesub-EKB of each category tree. In a case where sub-EKB's are storedseparately in another database, identification information of sub-EKB isdescribed instead of the sub-EKB itself. Furthermore, the capabilitymanagement table also includes data indicating the subroot node of eachcategory tree.

On the basis of the capability management table, the key distributioncenter (KDC) produces an enabling key block (EKB) that can be decryptedonly by devices having a capability of playing back a specific content.Referring to FIG. 44, the process of producing the enabling key block onthe basis of the capability information is described below.

First, in step S4301, the key distribution center (KDC) selects acategory tree having a specified capability from the capabilitymanagement table. More specifically, for example, when a contentprovider wants to distribute audio data according to the audio dataplayback scheme A, the key distribution center (KDC) searches thecapability list shown in FIG. 43( a) and selects category trees having avalue of “1” in the bit indicating the audio data playback capabilityaccording to the scheme A.

Then in step S4302, the key distribution center (KDC) produces a list ofID's of selected category trees. Thereafter, in step S4303, the keydistribution center (KDC) selects a path that should be included in atree formed by selected category trees indicated by the ID's (that is, apath to be included in a key distribution tree). In step S4304, it isdetermined whether all paths included in the selection category treeID's have been selected. If all paths have not been selected, selectionof paths in step, 4303 is performed until all paths have been selected.That is, in the case where a plurality of category trees are selected,paths corresponding to the respective category trees are sequentiallyselected.

If all paths included in the selected category tree ID's have beenselected, the process proceeds to step S4305. In step S4305, a keydistribution tree structure including only the selected category treesis produced.

Then in step S4306, node keys included in the tree structure produced instep S4305 are renewed, thereby producing renewed node keys.Furthermore, sub-EKB's of the selected category trees included in thekey distribute tree structure are extracted from the capabilitymanagement table. On the basis of the extracted sub-EKB's and therenewed node keys produced in step S4306, an enabling key block (EKB) isproduced such that it can be decrypted only by the devices included inthe selected category trees. The enabling key block (EKB) produced inthe above-described manner can be used only by the devices having thespecified capability, that is, the enabling key block (EKB) can bedecrypted only by such devices. If, for example, a content key isencrypted using this enabling key block (EKB) and content compressed bya specific program is encrypted using that content key, and if theresultant encrypted content key and content are provided to devices,then only the devices having the specific capability selected by the keydistribution center (KDC) can use the content.

As described above, the key distribution center (KDC) produces anenabling key block (EKB) that can be decrypted only by devices havingcapability of playing back a specific content, on the basis of thecapability management table. Thus, when a new category tree isregistered, it is needed to acquire capability information of the newcategory tree to be registered. The method of notification of thecapability in the new category tree registration process is describedbelow with reference to FIG. 45.

FIG. 45 shows a capability notification sequence performed when a newcategory tree is added to the key distribution tree structure.

A new (child) category tree (N-En) to be added to the tree structureissues a new registration request to an upper-level (parent) categorytree (P-En). Each category tree has its own public key according to thepublic key cryptography scheme. When the new category tree issues theregistration request, it transmits its public key to the upper-levelcategory tree (P-En).

Upon receiving the registration request, the upper-level category tree(P-En) transfers the received public key of the new (child) categorytree (N-En) to a certificate authority (CA) to receive a public key ofthe new (child) category tree having a signature of the CA. The aboveprocedure is performed in mutual authentication between the upper-levelcategory tree (P-En) and the new (child) category tree (N-En).

If the authentication of the category tree requesting for newregistration is completed via the above process, the upper-levelcategory tree (P-En) gives permission of the registration of the new(child) category tree (N-En) and transmits a node key assigned to thenew (child) category tree to the new (child) category tree (N-En). Thisnode key corresponds to one of endpoint nodes of the upper-levelcategory tree (P-En), and also corresponds to the top node or a sub-rootkey of the new (child) category tree (N-En).

After the completion of the transmission of the node key, the new(child) category tree (N-En) builds a tree structure of the new (child)category tree (N-En) and sets the received sub-root key at the top nodeof the tree structure. Furthermore, keys are set at the respective nodesand leaves, and an enabling key block (sub-EKB) associated with thecategory tree is produced. On the other hand, the upper-level categorytree (P-En) produces a sub-EKB associated with the upper-level categorytree (P-En) such that an endpoint node, which was made active when thenew (child) category tree was connected thereto, is reflected in thesub-EKB.

If the production of the sub-EKB including the node keys and leaf keysof new (child) category tree (N-En) is completed, the new (child)category tree (N-En) transmits the produced sub-EKB to the upper-levelcategory tree (P-En). Furthermore, the new (child) category tree (N-En)transmits the capability information of devices managed by the categorytree to the upper-level category tree.

Upon receiving the sub-EKB and the capability information from the new(child) category tree (N-En), the upper-level category tree (P-En)transfers the received sub-EKB and capability information together witha renewed sub-EKB of the upper-level category tree (P-En) to the keydistribution center (KDC).

The key distribution center (KDC) registers the received sub-EKB andcapability information of the category tree into the capabilitymanagement table described above with reference to FIG. 43, therebyobtaining an updated capability management table. On the basis of therenewed capability management table, the key distribution center (KDC)can produce an EKB in various manners. For example, the EKB can beproduced such that only a specified category tree or a specified devicecan decrypt the EKB.

Management of EKB Using EKB Type Definition List

When an EKB is produced such that it can be decrypted by one or moreselected category trees and the resultant EKB is provided such that itcan be used in common by devices belonging to the respective selectedcategory trees, a method of using an EKB type definition list indicatingwhich category tree can use or decrypt the EKB is described below.

In the present embodiment, if the key distribution center (KDC) receivesan EKB issue request from an EKB requester, such as a content provider,who wants the key distribution center (KDC) to issue an EKB to be usedby the EKB requester, an EKB type identification number indicating theEKB type described in an EKB type definition list included in thereceived EKB issue request, such that the resultant EKB can be processed(decrypted) by one or more category trees.

In the process of producing the EKB, in accordance with top nodeidentifiers of the respective category trees set in correspondence withthe EKB type identification number described in the EKB type definitionlist, the key distribution center (KDC) requests the top-level categoryentities (TLCE), which are category tree mangers, to produce theirsub-EKB. If the sub-EKB's produced by the respective TLCE's arereceived, the key distribution center (KDC) combines the receivedsub-EKB's into an EKB that can be processed by the category trees.

In the present embodiment, the EKB requester such as the contentprovider (CP) can select specific category trees on the basis of the EKBtype definition list. After the EKB requester such as the contentprovider (CP) selects specific category trees on the basis of the EKBtype definition list, the EKB requester requests the key distributioncenter (KDC) to issue an EKB that can be processed by the selectedspecific category tree. In response to the EKB request, the keydistribution center (KDC) requests the management entity of the selectedcategory tree to issue a sub-EKB. The management entity of each selectedcategory tree produces an EKB that can be processed only by devices ofthat management entity, other than revoked devices, and transmits theresultant EKB to the key distribution center (KDC). The key distributioncenter (KDC) combines the one or more sub-EKB's, thereby producing anEKB that can be processed only by the category trees selected by the EKBrequester and provides the resultant EKB to the EKB requester. Uponreceiving the EKB from the key distribution center (KDC), the EKBrequester produces an encrypted key or encrypted content that can bedecrypted only by using a key acquired by processing the EKB anddistributes the resultant encrypted key or content.

First, various entities in the system are described briefly.

Key Distribution Center (KDC)

A key distribution center (KDC) issues enabling key blocks (EKB) andmanages an EKB type definition list associated with the issued EKB's.

Top Level Category Entity (TLCE)

A top level category entity (TLCE) is an entity which manages a categorytree, such as a format holder of a recording device, which manages acategory tree. The TLCE manages the category tree, produces a sub-EKBthat can be processed (decrypted) by devices within the category treemanaged by the TLCE, and provides the resultant sub-EKB to the keydistribution center (KDC).

EKB Requester

An EKB requester is, for example, an entity such as a content providerthat provides, as electronic content distribution (ECD) service, variouscontents such as video data, audio data, or programs. Another example ofan EKB requester is a format holder of a storage medium. The contentprovider provides encrypted content, an encrypted key, or an encryptedmedium that can be decrypted using a key which can be acquired byprocessing an EKB which is issued by the key distribution center (KDC)in response to a request issued by the content provider.

For example, the content provider (CP) encrypts content using a root keydescribed in the EKB produced by the key distribution center (KDC) anddistributes the resultant encrypted content. The format holder ofstorage media distributes media after writing the EKB onto the storagemedia during the production thereof so that a content encrypted using aroot key of the EKB can be stored thereon.

TLCE and Category-Based Tree Management

The category-based tree management has been already described above.Herein, the relationship between the top-level category entity (TLCE)and the category tree is described with reference to FIG. 46.

As described above, each category is a set of devices having similarfeatures. More specifically, an example of a category is a set ofdevices produced by the same manufacturer. Another example is a set ofdevices that can deal with a specific encoding format. In FIG. 46, A, B,C, and D denote category trees.

In FIG. 46, a root tree at the top has a tree structure having, forexample, eight levels (eight node levels). Top nodes of respectivecategory trees are disposed at the bottom of the root tree. The categorytrees may be related to each other such that a certain category tree ishigher in level than another category tree. In the specific exampleshown in FIG. 46, category trees C and D are related to each otherwherein the category tree C is a higher-level category tree related tothe category tree D at the lower level.

Each category tree directly connected to the root tree at the top isreferred to as a top-level category tree, and an entity that manages atop-level category tree is referred to as a top-level category entity(TLCE). In the specific example shown in FIG. 46, category trees A, B,and C are top-level categories, and entities that mange these top-levelcategories are top-level category entities (TLCE's). Each top-levelcategory entity (TLCE) is basically responsible for managing allcategory trees including the top-level category tree itself andlower-level category trees related to the top-level category tree. Inthe specific example shown in FIG. 46, the TLCE that manages thecategory tree C also manages the category tree D. If there is anothercategory tree at a further lower level related to the category tree D,the TLCE that manages the category tree C also manages the furtherlower-level category tree. However, another category entity (subcategory entity) may be established, and the responsibility and theright of management of the lower-level category tree D may be delegatedto that sub category entity.

Each device which uses content, such as a recording/reproducingapparatus, is assigned by the top-level category entity (TLCE) to a leafof a certain tree, and the device holds some of keys assigned to nodesin a path from that leaf to the root. A set of node keys held by onedevice is referred to as a device node key (DNK) set. The number of keysheld by each device (the number of keys included in a DNK set) isdetermined by the top-level category entity (TLCE).

FIG. 47 shows the outline of processes performed among respectiveentities such as a key distribution center (KDC), a top-level categoryentity (TLCE), and an EKB requester.

A key distribution center (KDC) 4511 is included in a management entity4510 of a tree-based EKB distribution system. The management entity 4510further includes a certificate authority (CA) 4512 that writes asignature on each EKB.

The key distribution center (KDC) 4511 manages keys of subtrees such astop-level category trees. The key distribution center (KDC) 4511 alsomanages an EKB type definition list that will be described later andproduces EKB's. The certificate authority (CA) 4512 writes a signatureon each EKB produced by the key distribution center (KDC) and issues apublic key corresponding to a secret key on which a signature iswritten, for use in verification of the signature.

An EKB requester 4520 requests the key distribution center (KDC) 4511 toissue an EKB. The EKB requester may be a content provider (CP) whoprovides a content-stored medium, such as a CD or DVD on which a contentis stored, a content provider (CP) who distributes a digital content, ora storage system licensor who provides a license of a format of astorage system such as a flash memory.

Each EKB requester 4520 provides an EKB corresponding to content, amedium, or a license format such that a key needed in use of thecontent, the medium, or the license format provided by EKB requester canbe extracted by processing the EKB. Each EKB is produced by the keydistribution center (KDC) 4511 in response to an EKB request sent to thekey distribution center (KDC) 4511 from the EKB requester 4520.

If the EKB requester 4520 receives an EKB issued in response to the EKBrequest sent to the key distribution center (KDC) 4511, the EKBrequester 4520 may provide the EKB to a media manufacturer 4540 and/or adevice manufacturer 4550 and may provide a medium or a device, in whichthe EKB is stored, to a user. Each EKB is produced such that it can beprocessed by one or more category trees.

In the present system, the EKB's may be produced in various fashions andmay be used in various manners. For example, an EKB may be produced suchthat it can be processed in common by a plurality of category trees (twoor three category trees or a greater number of category trees), or maybe produced such that it can be processed only by one category tree. AnEKB type definition list is used to describe such various types of EKB'sin the form of a list. The EKB type definition list is managed by thekey distribution center (KDC). The EKB type definition list will bedescribed in further detail later. The EKB requester 4520 can acquirethe EKB type definition list by issuing a request for the EKB typedefinition list to the key distribution center (KDC) 4511. When data inthe list is renewed, updated data is transmitted to the EKB requesters4520 from the key distribution center (KDC) 4511.

As described above, the top-level category entities (TLCE's) 4530 aremanagement entities of category trees directly connected to the roottree. Each top-level category entity (TLCE) 4530 manages keys of asubtree and a correspondence list representing the correspondencebetween the device ID and the device node key (DNK) set, which is a setof node keys stored in each device for use in processing the EKB. Thetop-level category entity (TLCE) 4530 also produces a device node key(DNK) set to be stored in a device of a type managed by the top-levelcategory entity (TLCE) 4530 and provides it to a manufacturer 4550 thatproduces the device.

If the key distribution center (KDC) 4511 receives an EKB request fromthe EKB requester 4520, the key distribution center (KDC) 4511 producesan EKB in accordance with the EKB request. For example, in a case wherethe EKB request specifies that the EKB can be processed by two specifictop-level category trees, the key distribution center (KDC) 4511requests those two top-level category entities (TLCE's) 4530 to issuetheir sub-EKB's. Upon receiving the sub-EKB request, each top-levelcategory entity (TLCE) 4530 produces a sub-EKB that can be used by anauthorized device within the category tree to acquire the root key andtransmits the resultant sub-EKB to the key distribution center (KDC)4511. On the basis of the one or more sub-EKB's received from theTLCE's, the key distribution center (KDC) 4511 produces an EKB. Theprocess of producing the EKB on the basis of the sub-EKB's will bedescribed in detail later.

The top-level category entities (TLCE's) 4530, as with the EKBrequesters 4520, can acquire the EKB type definition list by sending arequest for it to the key distribution center (KDC) 4511.

Each top-level category entity (TLCE) 4530 can also request the keydistribution center (KDC) 4511 to delete EKB type definition dataassociated with the top-level category entity (TLCE) 4530 from the EKBtype definition list. For example, the delete request may specify thatan EKB type defined as can be shared by another category tree should bedeleted from the list. In a case where a tree managed by the a top-levelcategory entity (TLCE) 4530 is renewed, the top-level category entity(TLCE) 4530 sends a renewal notification to the key distribution center(KDC) 4511. The detailed process thereof will be described later withreference to a flow chart.

The device manufactures 4550 can be classified into two types. Devicemanufactures of one type are DNKE device manufactures 4551 which producedevices in which both a device node key (DNK) set and an EKB are stored.Device manufactures of the other type are DNK device manufactures 4552which produce devices in which only a device node key (DNK) set isstored.

FIG. 48 illustrates, in the form of a block diagram, examples ofconfigurations of the key distribution center (KDC), the EKB request,and the top-level category entity (TLCE) shown in FIG. 47. The keydistribution center (KDC), the EKB requester, and the top-level categoryentity (TLCE) are information processing apparatuses having anencrypted-data communication capability, which are constructed so as toserve as an EKB distribute apparatus, an EKB requesting apparatus, and acategory tree management apparatus.

The information processing apparatus of each entity includes acryptographic unit responsible for general cryptographic process inmutual authentication with another entity and in data communication. Thecryptographic unit includes a control unit for generally controlling thecryptographic process associated with authentication, encryption, anddecryption. An internal memory of the cryptographic unit serves to storedata such as key data and identification data needed in variousprocessed such as mutual authentication, encryption, and decryption. Theidentification data is used, for example, in mutual authentication withanother entity.

An encryption/decryption unit performs, in data transmission using keydata stored in the internal memory, authentication, encryption,decryption, data verification, and random number generation.

As for the information processing apparatus serving as the EKBrequester, it may also be configured such that a key is not generated bythe EKB requester. In this case, components used to generate the key,such as a random number generator, are not necessary. More specifically,in a case where the information processing apparatus serving as the EKBrequester generates a root key to be included in an EKB and requests thekey distribution center to generate the EKB so as to include the rootkey, the information processing apparatus has to include means forgenerating the root key. However, in a case where the informationprocessing apparatus serving as the EKB does not produce the root key tobe included in the EKB, but requests the key distribution center (KDC)to produce the root key and further produce the EKB including the rootkey produced by the key distribution center (KDC), the informationprocessing apparatus does not need to include components such as therandom number generator used to produce the key.

Because information such as an encryption key is stored in the internalmemory of the cryptographic unit, the internal memory should beconstructed such that an unauthorized access to the memory is prevented.More specifically, the cryptographic unit is configured using ananti-tamper memory formed of a semiconductor chip or the like so as tobe protected from an external access.

Each entity includes, in addition to the cryptographic unit describedabove, a CPU (Central Processing Unit), a RAM (Random Access Memory), aROM (Read Only Memory), an input unit, a display unit, a databaseinterface, and a database.

The CPU (Central Processing Unit), the RAM (Random Access Memory), andthe ROM (Read Only Memory) form a control system of the entity. The RAMis used a main memory used by the CPU as a work area in variousprocesses. The ROM is used to store a starting program executed by theCPU.

The database or storage means of each information processing apparatusstores data managed by the entity. For example, in the key distributioncenter (KDC), management data associated with issued EKB's and the EKBtype definition list are stored in its database. In the case of thetop-level category entity (TLCE), management data associated withdevices belonging to the category tree, such as data indicatingcorrespondence between the devices managed by the TLCE and the devicenode key (DNK) sets, is stored in the database. In the EKB requester,the database stores management data indicating the correspondencebetween contents provided by the EKB requester and the EKB's used forthe contents and management data indicating the devices to which thecontents are provided. It is desirable that the EKB type definition listbe stored in an accessible manner also in the information processingapparatuses serving as the EKB requester and the top-level categoryentity (TLCE). Alternatively, the EKB type definition list may be storedat a Web site that is managed by the key distribution center (KDC) andthat can be accessed by the EKB requester and the top-level categoryentity (TLCE).

As described earlier, devices use a device node key (DNK) set whenprocessing (decrypting) an EKB. An example of a device node key (DNK)set stored in a device is described below with reference to FIG. 49. InFIG. 49, a tree nodes a category tree, in which leaves related todevices are disposed at the bottom. For example, the tree may be a treemanaged by a top-level category entity (TLCE). The category tree isconnected to a root tree (having an eight-level structure, for example)located at a higher level. Each device holds node keys assigned to nodesin a path from the device to a higher level, as shown in FIG. 49. Thesekeys are held as a device node key (DNK) set in the device so that anEKB can be decrypted using the device node key (DNK) set.

Basically, each device is assigned to one leaf such that there is nooverlap. However, in an exceptional case in which software programs suchas PC programs are related to leaves, a version of a software packagemay be assigned to all leaves. The assignment of devices is determinedby the TLCE. That is, the TLCE determines which device is assigned towhich leaf, and which node keys are assigned to which device.

The top-level category entity (TLCE) may be a device supplier(manufacturer). In this case, the top-level category entity (TCLE) maysupply (sell) a device after storing a device node key (DNK) settherein. That is, it is possible to supply (sell) a device such as arecording/reproducing apparatus including a memory in which node keys ofa specific category tree have been stored as a device node key (DNK)set.

EKB Type Definition List

Distribution of an EKB on a category basis has already been described.In a case where an EKB for common use by a plurality of categories isissued, that is, in a case where the issued EKB can be processed bydevices belonging to different category trees, there is a possibilitythat some problems occur.

For example, let us assume herein that two different companies A and Bhave a license of a format of a rewritable medium (storage medium) suchas a portable flash memory; a manufacturer having a license of a medium(portable flash memory) is an entity of a top level category; andcategory trees managed by companies A and B, respectively, exist at alevel below the top-level category. Let us further assume that, in orderthat devices of companies A and B be compatible with each other and canuse various contents in common, an EKB that can be processed (decrypted)by devices belonging to any one of the category trees of companies A andB is produced and distributed by the key distribution center (KDC).

In such a situation, if secrecy of a device node key (DNK) set of onedevice belonging to a category tree managed by the company A is broken,there is a possibility that all already-distributed contents, which canbe used by devices of both companies A and B by using that device nodekey (DNK) set, may be used in an unauthorized manner. To prevent suchunauthorized use, it is needed to renew the EKB for evocation. However,in this case, because the EKB has been produced such that it can be usedin common by the two category trees associated with companies A and B,revocation should be performed not only for the category tree associatedwith company A but for both categories associated with companies A andB.

As described above, in the case where an EKB is distributed such that itcan be used in common by a plurality of category trees, renewal of theEKB and revocation should be performed not only for one category treebut for all category trees that use in common the EKB. As a result,company B is influenced by a category tree other than the category treemanaged by company B. This results in an increase in complexity ofmanagement process.

Herein, a technique of solving the above problem is disclosed below.That is, the right of giving permission of issuing an EKB usable incommon by a plurality of categories is granted to the respectivecategory entities that manage the categories. Issuing of an EKB forcommon use is permitted by an entity only when the entity can accept arisk of a problem which may occur in devices of a category of an entityas a result of occurrence of a problem in a device belonging to anothercategory. However, in a case where the entity cannot accept the risk,the entity does not permit issue or use of a common EKB.

In this method, various kinds of EKB's are produced and used. Forexample, an EKB may be such an EKB that can be processed by two or threecategory trees, or a greater number of category trees, but another EKBmay be such an EKB that can be processed only by a single category tree.An EKB type definition list is used to describe such various types ofEKB's in the form of a list. FIG. 50 shows an example of an EKB typedefinition list. The EKB type definition list is stored and managed bythe key distribution center (KDC). The EKB type definition list isprovided to, or can be accessed by, EKB requesters or TLCE's, asrequired.

As shown in FIG. 50, the EKB type definition list includes fields of“EKB type identification number”, “node”, and “description”. The “EKBtype identification number” is a number identifying a specific one ofvarious EKB's listed in the EKB type definition list. If theidentification number is different, then the category tree or thecombination of category trees that allowed to process the EKB becomedifferent.

The “node” field is used to describe the top-node ID of category treesto which a specific EKB can be applied. For example, for an EKB of anEKB type identification number of 1, the top-node ID of a category treeassociated with an MS (memory media sold under the trademark MEMORYSTICK) is assigned. On the other hand, for an EKB of an EKB typeidentification number of 3, the top-node ID of the category treeassociated with the MS (MEMORY STICK) and the top-node ID of a categoryassociated with a PHS are assigned.

The field of “description” is used to store descriptions of varioustypes EKB's listed in the EKB type definition list. For example, thedata in the “description” field for the EKB of the EKB typeidentification number of 1 indicates that this EKB is for the MS (MEMORYSTICK), and the data in the “description” field for the EKB of the EKBtype identification number of 3 indicates that this EKB can be used incommon by category trees of the MS (MEMORY STICK) and the PHS.

The EKB type definition list shown in FIG. 50 is managed by the keydistribution center (KDC). An entity such as a content provider, whichis going to distribute encrypted data such as an encrypted key or anencrypted content encrypted using a key that can be extracted byprocessing the EKB, selects, from the EKB type definition list shown inFIG. 50, an EKB type that can be processed by a category includingdevices to which the content is going to be supplied. The contentprovider then requests the key distribution center (KDC) to produce anEKB specified by the corresponding EKB type identification number.

When various types of EKB's are registered in the EKB type definitionlist, registration should be performed with the approval of thetop-level category entities (TLCE's) of the category trees to beregistered. When, for example, TLCE-A of the category tree refused issueof an EKB shared by another category, an EKB type that is shared by thecategory tree A and said another category is not registered in the EKBtype definition list.

In a case where all TLCE-A of the category tree A, TLCE-B of thecategory tree B, and TLCE-C of the category tree C, have approved issueof an EKB for common use, an EKB type that can be processed in common bythose three category trees is registered in the EKB type definitionlist. Thereafter, a content provider can specify the EKB typeidentification number assigned to that EKB type and can request the keydistribution center (KDC) to issue a corresponding EKB.

That is, in order to register a new EKB type and a corresponding EKBtype identification number in the EKB type definition list, thefollowing process is required.

(1) All TLCE's, which manage categories relating to an EKB type havingan EKB type identification number to be registered, send an EKB typeregistration request to the key distribution center (KDC).

(2) The key distribution center (KDC) confirms that the EKB typeregistration requests have been received from all top-level categoryentities (TLCE's) of category trees which will be capable of processingan EKB of the EKB type requested to be registered. After theconfirmation, the key distribution center (KDC) defines a new EKB typeidentification number for the EKB type and adds it to the EKB typedefinition list.

(3) The key distribution center (KDC) sends an EKB type definition listrenewal notification to all TLCE's and EKB requesters to notify that theEKB type definition list has been renewed.

The EKB type definition list is opened for use by all TLCE's and EKBrequesters by sending it to all TLCE's and EKB requesters or by puttingit at a Web site. Thus, TLCE's and EKB requesters can acquire EKB typeinformation described in the newest EKB type definition list.

EKB Type Registration

A process performed by the key distribution center (KDC) beforeregistering a new EKB type in the EKB type definition list is describedbelow with reference to FIG. 51. First, the key distribution center(KDC) receives an EKB type registration request from an TLCE that wantsto register a new EKB type (S101). The EKB type registration requestfrom the TLCE includes a description of the number of categories thatshould be able to use in common the EKB to be registered. The keydistribution center (KDC) determines whether as many similar EKB typeregistration requests as the number of categories described in therequest have been received from TLCE's (S102). If and only if as manyEKB type registration requests as the number of categories described inthe request have been received from TLCE's, the key distribution center(KDC) registers the new EKB type in the EKB type definition list inaccordance with the request. The key distribution center (KDC) performsa list renewal process and issues a list renewal notification (S103).The renewal notification is sent to all TLCE's and EKB requesters.

As described above, the key distribution center (KDC) performsregistration of a new EKB type identifier into the EKB type definitionlist only when approval of the registration has been obtained from allcategory entities which manage the category trees specified as categorytrees which should be able to process the EKB type to be registered.

In the above process, mutual authentication and encryption oftransmission data are performed, as required, in communication betweenthe key distribution center (KDC) and TLCE's or EKB requesters.Furthermore, encryption of other messages, writing of signature, anddata verification may also be performed. In a case where authenticationor cryptographic communication is performed using the public keycryptographic technology, it is required that entities already havetheir public keys.

Revocation of an EKB Type

When it is needed to revoke all devices belonging to a certain category,the top-level category entity (TLCE) issues a request for revocation ofEKB types associated with the category to the key distribution center(KDC). Furthermore, when a certain service is going to be terminated orwhen there is some reason, the top-level category entity (TLCE) mayissue a request for revocation of an EKB type from the presentregistration to the KDC.

The process of revocation of an EKB type is described below withreference to a flow chart shown in FIG. 52. First, the key distributioncenter (KDC) receives an EKB type revocation request from an TLCE thatwants to revoke an EKB type (S201). If the key distribution center (KDC)receives the EKB type revocation request from the TLCE, the keydistribution center (KDC) confirms that the issuer of the request is theTLCE that manages the category associated with the EKB type requested tobe revoked. After confirmation, the key distribution center (KDC)revokes, from the EKB type definition list, the EKB type identificationnumber corresponding to the EKB type specified by the EKB typerevocation request, and performs renewal of the EKB type definitionlist. Thereafter, the key distribution center (KDC) issues a listrenewal notification (S202). The renewal notification is sent to allTLCE's and EKB requesters.

As described earlier, the key distribution center (KDC) performsrevocation of an EKB type identifier registered in the EKB typedefinition list, if and only if a revocation request is received from atleast one of category entities managing one or more category treesselected as category trees that can be processed on the basis of an EKBtype requested to be revoked. In this case, approval or the othercategory entities is not needed.

In the above process, mutual authentication and encryption oftransmission data are performed, as required, in communication betweenthe key distribution center (KDC) and TLCE's or EKB requesters.Furthermore, encryption of other messages, writing of signature, anddata verification may also be performed. In a case where authenticationor cryptographic communication is performed using the public keycryptographic technology, it is required that entities already havetheir public keys.

EKB Type Definition List Renewal Notification

For example, in a case where, in a certain category tree, the TLCEmanaging that category tree has performed some process resulting in achange in the state of the tree, such as revocation of a device or achange in a device node key (DNK) set stored in a certain device intoanother device node key (DNK) set, the TLCE has to notify the EKBrequesters or TLCE's using EKBs associated with that device of the factthat the process has been performed.

When revocation of a device has been performed, if a notification of therevocation is not sent, a content provider (CP) may use an old EKB intransmission of an encrypted content. The old EKB can be processed(decrypted) even by the revoked device, and thus there is a possibilitythat unauthorized use of the content is continued. In a case where adevice node key (DNK) set has been renewed, the old DNK replaced withthe new one is usually discarded and a device has the new DNK. However,if a content provider does not use an EKB in which the new DNK isreflected, a device having the new DNK cannot process (decrypt) the EKBand thus cannot access the content.

To avoid such a problem, a TLCE has to send a tree change notificationto the key distribution center (KDC) when one of changes described belowoccurs:

A change in a tag part of a EKB performed in response to revocation of adevice

A change in a value of a DNK set stored in at least one device,performed in response to renewal of a device node key (DNK) set.

The tree change notification includes information indicating an EKB typeidentification number to be changed in the EKB type definition list,information indicating a category associated with that EKB typeidentification number, and information indicating what has occurred, forexample, indicating that revocation or DNK renewal has been performed.

The process of EKB type definition list renewal notification isdescribed below with reference to a flow chart shown in FIG. 53. First,the key distribution center (KDC) receives a tree change notificationfrom a TLCE (S301). Upon receiving the tree change notification from theTLCE, the key distribution center (KDC) extracts an EKB typeidentification number associated with the category from the EKB typedefinition list, and sends an EKB type definition list renewalnotification to all TLCE's and EKB requesters to notify what kind ofchange (revocation or DNK replacement) has occurred and which EKB typeidentification number is influenced by the change. In the above process,mutual authentication and encryption of transmission data are performed,as required, in communication between the key distribution center (KDC)and TLCE's or EKB requesters. Furthermore, encryption of other messages,writing of signature, and data verification may also be performed. In acase where authentication or cryptographic communication is performedusing the public key cryptographic technology, it is required thatentities already have their public keys.

EKB Type Definition List Request

In order to obtain a newest version of EKB type definition list, atop-level category entity (TLCE), a sub-category entity (SCE) other thanthe TLCE, or an EKB requester such as a content provider may send arequest for the EKB type definition list to the key distribution center(KDC). In response to the request, the key distribution center (KDC)returns the newest version of EKB type definition list to the requester.

The EKB type definition list request process is described below withreference to a flow chart shown in FIG. 54. First, the key distributioncenter (KDC) receives an EKB type definition list from a TLCE, asub-category entity, or an EKB requester (S401). Upon receiving the EKBtype definition list, the key distribution center (KDC) extracts thenewest version of EKB type definition list and transmits it to theentity which has issued the request. In the above process, mutualauthentication and encryption of transmission data are performed, asrequired, in communication between the key distribution center (KDC) andTLCE's, sub-category entities, or EKB requesters. Furthermore,encryption of other messages, writing of signature, and dataverification may also be performed. In a case where authentication orcryptographic communication is performed using the public keycryptographic technology, it is required that entities already havetheir public keys.

Issuing an EKB

An EKB is issued in response to an EKB request received from an EKBrequester. Specific examples of EKB requesters are listed below:

[a] Content provider (CP) that provides a content-stored medium such asa CD or DVD,

[b] Content provider that provides electronic content distribution (ECD)service,

[c] Holder of a storage system format

The EKB requester is an entity that provides a service, a medium, or adevice in which content or a format can be used by acquiring a key bydecrypting an EKB.

The storage system format holders described in [c] can be classifiedinto two types as described below:

[c1] Format holder that provides an acquired EKB to a manufacturer of astorage medium according to a format in which the EKB is stored into thestorage medium when it is produced.

[c2] Format holder that provides an acquired EKB to a manufacturer of arecording device according to a format in which the EKB is stored intothe recording device when it is produced.

The EKB issue process is described below.

(1) Production of a Content Key

First, an EKB requester such as a content provider produces a contentkey to be used in conjunction with a content, a device, or a medium theEKB requester provides.

For example, in the case where the EKB requester is:

[a] a content provider (CP) that provides a content-stored medium suchas a CD or DVD, or

[b] a content provider that provides electronic content distribution(ECD) service,

the produced content key is used to protect the content stored on themedium or protect the content during the electronic content distribution(ECD) service.

On the other hand, when the EKB requester is:

[c1] a format holder that provides an acquired EKB to a manufacturer ofa storage medium according to a format in which the EKB is stored intothe storage medium when it is produced,

the content key is used to protect the content stored on the medium.

In the case where the EKB requester is:

[c2] a format holder that provides an acquired EKB to a manufacturer ofa recording device according to a format in which the EKB is stored intothe recording device when it is produced,

the content key is used to protect the content stored using therecording device.

The mechanism, such as an cryptographic algorithm, of protecting thecontent using the content key may be determined arbitrarily for eachformat.

(2) Production of a Root Key

The EKB requester produces a root key that can be extracted bydecrypting the EKB. Alternatively, the root key may be acquired from thekey distribution center (KDC) instead of producing it. The root key isused to protect (encrypt) the content key. The mechanism, such as ancryptographic algorithm, of protecting the content key using the rootkey may be determined arbitrarily for each format.

(3) Request for Issue of an EKB

The EKB requester sends an EKB issue request to the key distributioncenter (KDC).

The EKB issue request includes information indicating the root key andinformation specifying one of EKB type identification numbers registeredin the EKB type definition list, to indicate a category including thedevice to which the root key is to be transmitted using the EKB. On thebasis of the EKB type definition list stored in the storage medium ofthe EKB requester, or on the basis of the EKB type definition listacquired from a site on a network, the EKB requester selects an EKB typeassociated with a category including the device to which service such asproviding content is to be provided. The EKB requester then sends to thekey distribution center (KDC) an EKB issue request including informationspecifying the EKB type identification number indicating the selectedEKB type.

(4) Issue of EKB

In accordance with the EKB issue request received from the EKBrequester, the key distribution center (KDC) produces an EKB such thatthe EKB includes the root key if the root key is not included in the EKBissue request. However, if the EKB issue request does not include theroot key and if the EKB issue request includes a request for productionof the root key, the key distribution center (KDC) produces the root keyand further produces an EKB including the produced root key. Theresultant EKB is transmitted to the EKB requester.

The EKB produced by the key distribution center (KDC) can be of a typethat can be processed only by a single category tree or of a type thatcan be processed by a plurality of category trees. On the basis of theEKB type identification number specified in the EKB issue request, thekey distribute center (KDC) extracts a category associated with the EKBtype identification number, that is, extracts the node described in thenode field, corresponding to the EKB type identification number, of theEKB type definition list. In the node field, the top node ID of thecategory is described. The entity managing that category can be knownfrom this node ID. On the basis of the node ID, the key distributioncenter (KDC) sends a sub-EKB issue request to the top-level categoryentity (TLCE) that manages the category. The sub-EKB issue requestincludes information indicating the root key and information indicatingthe category.

If the TLCE receives the sub-EKB issue request from the key distributioncenter (KDC), the TLCE produces a sub-EKB such that devices (non-revokeddevices) within specified one or more categories can finally extract theroot key from the sub-EKB, and the TLCE transmits the resultant sub-EKBto the key distribution center (KDC).

The sub-EKB produced by the top-level category entity (TLCE) has a datastructure similar to that of a usual EKB (FIG. 6) except that theversion number and other information for verification (version checkvalue) are not included. The algorithm of encrypting a higher-level nodekey or a root key using a leaf key or a lower-level node key describedin the sub-EKB, the key length, and the mode may be arbitrarilydetermined for each TLCE (format holder) that produces the sub-EKB. Thismakes it possible to employ a particular security scheme differentlyfrom the other formats. A default encryption algorithm may bedetermined. For example, the triple-DES according to FIPS46-2(FederalInformation Processing Standards Publication 46-2) may be employed asthe default encryption algorithm such that the triple-DES algorithm isemployed if the TLCE's do not object to it. In the case where each TLCEarbitrarily determines the encryption algorithm or the key length, whensub-EKB's produced by different TLCE's are combined together into asingle EKB, each (encrypted) key is rewritten into data with apredetermined length, such as 16 bytes, so that the resultant combinedEKB can be used by any device managed by any TLCE. By properlydetermining the data format of the combined EKB used in common in aplurality of category trees, it becomes possible for any device in anycategory tree to correctly determine the location of the key data to beused. For example, if each block of key data in the EKB is representedin 16 bytes, the device can sequentially extract the correct key datathat can be processed by the device, and can finally acquire the rootkey.

That is, in accordance with the data format of the combined EKB producedfrom a plurality of sub-EKB's, a plurality of key data are stored infixed-length data fields. Therefore, when sub enabling key blocks(sub-EKB's) having different key data lengths according to differentalgorithms are combined into a single EKB, even if a plurality ofencrypted key data of sub-EKB's are rearranged in accordance with thelocations of the nodes or leaves in the key tree, it is possible tocorrectly extract necessary key data in accordance with the tagsdescribed in the EKB. Such a combined EKB may be distributed to users(devices) by means of transmission via a network or by providing astorage medium on which the EKB is stored.

The key distribution center (KDC) assembles or combines the sub-EKB'sreceived from TLCE's as required, and adds a version number andverification information. The resultant completed EKB is transmitted tothe EKB requester. A digital signature using the public key cryptographymay be written by a certificate authority (CA) other than the keydistribution center (KDC).

The process of producing sub-EKB's and combining them into a single EKBis described with reference to FIG. 55. FIG. 55 shows a sub-EKB-(A),which is produced by a TLCE of a category tree A (5100) in the processof producing a combined EKB that can be used in common by both categorytrees A (5100) and B (5200). The sub-EKB-(A) is produced such that eachdevice in the category tree A (5100) can extract the root key. Althoughin the previous examples, the root tree 5300 has an 8-level treestructure, a 2-level tree structure is assumed in the present examplefor the purpose of simplicity.

In FIG. 55, each underlined 3-digit number [XXX] in the tree structuredenotes a tag (e, l, r) in the EKB. As described earlier (FIGS. 26 and27), e=1 denotes that there is data, and e=0 denotes that there is nodata. 1=1 denotes that there is no branch extending to left, and 1=0denotes that there is a branch extending to left. r=1 denotes that thereis no branch extending to right, and r=0 denotes that there is a branchextending to right.

In order to produce the sub-EKB-(A) such that all devices (leaves) inthe category tree A (5100) shown in FIG. 55 can extract the root key,the sub-EKB-(A) should include data produced by encrypting the root keyusing a node key held in common by all leaves. Each device has node keysin its path in the device node key (DNK) region 5120 of the categorytree A (5100) shown in FIG. 55. Therefore, if the root key is encryptedusing a node key at the top in the DNK region 5120, then the resultantEKB satisfies the above requirement.

Thus, the TLCE of the category tree A (5100) produces the sub-EKB-(A)such that its tag part consists of 101, 010,000, 111, and 111, and itskey part consists of Enc(K010, Kroot) and Enc(K011, Kroot). The TLCE ofthe category tree A (5100) transmits the resultant sub-EKB-(A) to thekey distribution center (KDC).

A sub-EKB-(B) produced by the category tree B (5200) is described belowwith reference to FIG. 56. In order to produce the sub-EKB-(B) such thatall devices (leaves) in the category tree B (5200) can extract the rootkey, the sub-EKB-(B) should include data produced by encrypting the rootkey using a node key held in common by all leaves. Each device has nodekeys in its path in the device node key (DNK) region 5220 of thecategory tree B (5200) shown in FIG. 56, Therefore, if the root key isencrypted using a node key at the top in the DNK region 5220, then theresultant EKB satisfies the above requirement.

Thus, the TLCE of the category tree B (5200) produces the sub-EKB-(B)such that its tag part consists of 110, 010,000, 111, and 111, and itskey part consists of Enc(K110, Kroot) and Enc(K111, Kroot). The TLCE ofthe category tree B (5200) transmits the resultant sub-EKB-(B) to thekey distribution center (KDC).

The key distribution center (KDC) produces a combined EKB from thesub-EKB-(A) and the sub-EKB-(B) produced by the respective TLCE's. Theprocess of producing the combined EKB is described below with referenceto FIG. 57. The combined EKB is produced such that all devices belongingto the category tree A (5100) and all devices belonging to the categorytree B (5200) can extract the root key from the EKB. Basically, thecombined EKB can be produced by combining the sequences of key data ofthe received sub-EKB's into a single sequence of key data such that thelocations of key data in the sequence correspond to the locations in thetree from top to bottom and from left to right.

Thus, the tag part of the combined EKB becomes 100, 010, 010,000, 000,111, 111, 111, 111, and the key part becomes Enc(K010, Kroot), Enc(K011,Kroot), Enc(K110, Kroot), Enc(K111, Kroot). If each block of key data inthe key part is represented by, for example, 16 bytes, as describedabove, then each device in the category trees can detect the locationsof the key data that can be processed by the device, and thus canextract the root key from the combined EKB.

In the above example of the process of producing the sub-EKB's and thecombined EKB, it is assumed that any category tree does not include arevoked device. The process of producing sub-EKB's and a combined EKB isdescribed below for the case where there is a revoked device.

FIG. 58 shows the process of producing a sub-EKB when the category treeA (5100) includes a revoked device (01101) 5150. In this case, thesub-EKB is produced as a sub-EKB-(A′) that cannot be processed by therevoked device (01101) 5150 but can be processed by the other devices inthe category tree A (5100).

In this specific example, the sub-EKB is produced by selecting key dataalong the paths denoted by bold lines in FIG. 58. Thus, the sub-EKB-(A′)produced by the TLCE of the category tree A (5100) includes a tag partconsisting of 101, 010,000, 111, 000, 001, 111, and 111, and a key partconsisting of Enc(K010, Kroot), Enc(K0111, Kroot), and Enc(K01100,Kroot). The TLCE of the category tree A (5100) transmits the resultantsub-EKB-(A′) to the key distribution center (KDC).

The key distribution center (KDC) produces a combined EKB from thesub-EKB-(A′) and a sub-EKB-(B) received from the TLCE of the categorytree B (5200) (FIG. 56). The process of producing the combined EKB isdescribed below with reference to FIG. 59. The combined EKB is producedsuch that all devices belonging to the category tree A (5100) except forthe revoked device (01101) 5150 and all devices belonging to thecategory tree B (5200) without exception can extract the root key fromthe EKB. Basically, the combined EKB can be produced by combining thesequences of key data of the received sub-EKB's into a single sequenceof key data such that the locations of key data in the sequencecorrespond to the locations in the tree from top to bottom and from leftto right.

Thus, the tag part of the combined EKB consist of 100, 010, 010,000,000, 111, 000, 111, 111, 001, 111, and 111, and the key part consists ofEnc(K010, Kroot), Enc(K110, Kroot), Enc(K111, Kroot), Enc(K0111, Kroot),and Enc(K01100, Kroot). This combined EKB allows extraction of the rootkey, for all devices belonging to the category tree A (5100) except forthe revoked device (01101) 5150 and for all devices belong to thecategory tree B (5200) without exception.

(5) Use of EKB

The EKB produced by the key distribution center (KDC) via the processdescribed above is transmitted to the EKB requester.

For example, in the case where the EKB requester is:

[a] a content provider (CP) that provides a content-stored medium suchas a CD or DVD, or

[b] a content key is encrypted using the root key that can be extractedfrom the EKB, and content is encrypted using the content key anddistributed. The resultant content can be used only by authorizeddevices which belong to the specific category and thus can process theEKB.

On the other hand, when the EKB requester is:

[c1] a format holder that provides an acquired EKB to a manufacturer ofa storage medium according to a format in which the EKB is stored intothe storage medium when it is produced,

the produced EKB and the content key encrypted using the root key areprovided to the storage medium manufacturer, and storage media on whichthe EKB and the content key encrypted using the root key are stored areproduced by the storage medium manufacturer or the EKB requester itself,and the produced storage media are distributed. In this case, only thedevices which belong to the specific category tree and thus can processthe EKB can perform encryption and decryption using the EKB stored onthe storage medium in the operation recording/reproducing the content.

In the case where the EKB requester is:

[c2] a format holder that provides an acquired EKB to a manufacturer ofa recording device according to a format in which the EKB is stored intothe recording device when it is produced,

the produced EKB and the content key encrypted using the root key areprovided to the recording device manufacturer, and recording devices inwhich the EKB and the content key encrypted using the root key arestored are produced by the recording device manufacturer or the EKBrequester itself, and the produced recording devices are distributed. Inthis case, only the devices which belong to the specific category treeand thus can process the EKB can perform encryption and decryption usingthe EKB in the operation of recording/reproducing the content.

In the above process, mutual authentication and encryption oftransmission data are performed, as required, in communication betweenentities, EKB requesters, the key distribution center (KDC), and TLCE's.Furthermore, encryption of other messages, writing of signature, anddata verification may also be performed. In a case where authenticationor cryptographic communication is performed using the public keycryptographic technology, it is required that entities already havetheir public keys.

Producing an EKB by Simply Combining Sub-EKB's

In the above-described process of producing a combined EKB fromsub-EKB's, a sequence of encrypted key data included in the respectivesub-EKB's are rearranged such that the locations of key data in thesequence correspond to the locations in the whole tree from top tobottom. A technique of producing a combined EKB by simply combiningsub-EKB's produced by TLCE's of category trees into a single EKB withoutperforming rearrangement is described below.

FIG. 60 shows an example of a combined EKB 6000 produced by simplycombining sub-EKB's produced by TLCE's of category trees into a singleEKB without performing rearrangement.

In the process of issuing an EKB, the key distribution center (KDC)sends a sub-EKB production request to TLCE's which are entities managingcategory trees corresponding to an EKB type identification number, inthe EKB type definition list, specified by an EKB requester. Sub-EKB's6110, 6120 and so on received from TLCE's are simply combined togetherinto a single EKB thereby producing a combined EKB 6000. In order thateach device belonging to a specific category can select, from thecombined EKB 6000, a sub-EKB which corresponds to the specific categorythe device belongs to and thus which can be processed by the device,data (data length) 6111 (or 6121) indicating the data size of eachsub-EKB and data (node ID) 6112 (or 6122) indicating the categorycorresponding to each sub-EKB are added.

That is, the combined EKB includes, in addition to the selectedsub-EKB's, the data indicating the data length of respective sub-EKBstorage areas and the node ID's, serving as sub-EKB identification data,of the respective category trees corresponding to the sub-EKB's.Furthermore, information indicating the number of sub-EKB's included inthe combined EKB is described in the header 6200. Still furthermore, asignature 6300 is produced (by a certificate authority or the like) inaccordance with the data of the combined EKB and added thereto.

FIG. 61 shows a combined EKB 6000 produced in the manner described abovewith reference to FIG. 57. A sub-EKB described in a sub-EKB field 6110is exactly the same as the sub-EKB-(A) produced by the TLCE of thecategory tree A described above with reference to FIG. 55, wherein thetag part thereof consists of 101, 010,000, 111, and 111, and the keypart consists of Enc(K010, Kroot) and Enc(K011, Kroot). A sub-EKBdescribed in a sub-EKB field 6120 is exactly the same as the sub-EKB-(B)produced by the TLCE of the category tree B described above withreference to FIG. 56, wherein the tag part thereof consists of 110,010,000, 111, and 111, and the key part consists of Enc(K110, Kroot) andEnc(K111, Kroot).

FIG. 62 shows the data structure of a combined EKB 6000 produced fromsub-EKB's, shown in FIGS. 58 and 59, produced in a situation in whichthere is a revoked device. A sub-EKB described in a sub-EKB field 6110is exactly the same as sub-EKB-(A′) produced by the TLCE of the categorytree A described above with reference to FIG. 58, wherein the tag partthereof consists of 101, 010,000, 111, 000, 001, 111, and 111, and thekey part consists of Enc(K010, Kroot), Enc(K0111, Kroot), andEnc(K01100, Kroot). A sub-EKB described in a sub-EKB field 6120 isexactly the same as sub-EKB-(B) produced by the TLCE of the categorytree B, including no revoked device, described above with reference toFIG. 56, wherein the tag part thereof consists of 110, 010,000, 111, and111, and the key part consists of Enc(K110, Kroot) and Enc(K111, Kroot).

The combined EKB described above makes it possible for each devicebelonging to a specific category to select a sub-EKB corresponding tothat specific category and process (decrypt) the selected sub-EKB. Thisallows a sub-EKB to be produced for each category (TLCE) using anabsolutely arbitrary cryptographic algorithm or key length. In otherwords, each TLCE can determine the cryptographic algorithm and the keylength without being influenced by the other categories.

The key distribution center (KDC) does not need to disassemble andreassemble the tag parts and the key data parts of sub-EKB's receivedfrom respective TLCE's, and thus the complexity of the process is eased.

When a device acquires an EKB produced according to the present scheme,the device can detect an sub-EKB corresponding to a category to whichthe device belongs, and can extract a root key by processing the sub-EKBin accordance with a specific procedure determined by a TLCE managingthe device. It is not needed to know the procedures determined by theTLCE's of the other categories. It is also not needed to describe keysin a sub-EKB such that the keys have a fixed length, and, theoretically,the key length may be set to any arbitrary value.

Revocation (1)

A revocation process performed in a case where an EKB usable in commonby a plurality of categories is described below. First, a revocationprocess is described which may occur in a situation in which encryptedcontent is acquired from the outside via a network or a medium, acontent key is decrypted using a key extracted from an EKB, and finallythe content is decrypted.

Referring to FIG. 63, an EKB 7000 is assumed to be used in common by acategory tree A (7100) and a category tree B (7200). The EKB 7000 usedin common by the category tree A (7100) and the category tree B (7200)is assigned an EKB type identification number #1 in the EKB typedefinition list.

In such a situation, a content provider provides content encrypted usinga content key via a network or a medium, and devices belong to acategory tree A (7100) and devices belonging to a category tree B (7200)use the content by extracting a root key from the EKB 7000, acquiringthe content key by performing decryption using the root key, and finallydecrypting the encrypted content using the content key.

In this situation, if breakage of secrecy of key data or anotherunauthorized state of a device A1 (7120) belonging to the category treeA (7100) is detected, the device A1 (7120) is revoked.

To perform revocation, the TLCE of the category tree A (7100) firstissues a tree change notification (FIG. 53) to the key distributioncenter (KDC). In accordance with the received tree change notification,the key distribution center (KDC) sends a notification to TLCE's and EKBrequesters managed by the key distribution center (KDC). Thenotification includes only information indicating that the tree changenotification has been received, and renewal of the EKB type definitionlist is not performed at this point of time.

The tree change notification issued in response to revocation may besent only to entities of EKB requesters using the EKB that can beprocessed by the category tree in which revocation occurs, or further tocategory entities that manage other category trees using the same EKB asthat used by the category tree in which revocation occurs. In order tomake it possible to perform the above process, the key distributioncenter (KDC) holds a list of users of already-issued EKB's, in which EKBrequesters using specific EKB types and corresponding EKB typeidentification numbers are listed.

A content provider, which provides content to devices in the categorytree in which revocation has been performed and which is also an EKBrequester in this situation, requests the key distribution center (KDC)to produce an EKB renewed such that only devices other than the revokeddevice can process the EKB. In this specific case, the content providerbehaving as the EKB requester in such a situation specifies the EKB typeidentification number #1, indicating the EKB type that is used in commonby the category tree A (7100) and the category tree B (7200).Thereafter, the EKB requester produces a new root key and sends it tothe KDC, or alternatively, the EKB requester requests the KDC to producea new root key.

In accordance with the specified EKB type identification number #1, thekey distribution center (KDC) searches the EKB type definition list todetect nodes of relating category trees and requests TLCE's of categorytrees A (7100) and B (7200) corresponding to the detected nodes toproduce a sub-EKB from which authorized devices can extract a new rootkey.

In response to the request, each of TLCE's of the category trees A(7100) and B (7200) produces a sub-EKB. In this specific case, in thecategory tree A (7100), a sub-EKB-(A) is produced such that only devicesother than the revoked device A1 (7120) can extract a new root key fromthe sub-EKB-(A).

In the category tree B (7200), if there is no revoked device, asub-EKB-(B) is produced such that all devices belonging to the categoryB (7200) can extract a new root key from the sub-EKB-(B) and theresultant sub-EKB-(B) is transmitted to the key distribution center(KDC).

The key distribution center (KDC) produces a combined EKB from thesub-EKB's received from the respective TLCE's in the above-describedmanner, and transmits the resultant EKB to the EKB requester (contentprovider).

The EKB requester (content provider) distributes content using the newEKB received from the key distribution center (KDC). More specifically,the EKB requester (content provider) encrypts the content using acontent key and encrypts the content key using the root key extracted bydecrypting the EKB, and distributes the encrypted content and contentkey. The devices belonging to the category tree A (7100) and the devicesbelonging to the category tree B (7200) can use the content byextracting the root key from the EKB, extracting the content key byperforming decryption using the root key, and finally decrypting theencrypted content using the content key. However, the revoked device A1(7120) in the category tree A (7100) cannot process the renewed EKB andthus cannot use the content.

In the example described above, the key distribution center (KDC) doesnot renew the EKB type definition list at the point of time at which thetree change notification is received from the TLCE. Alternatively, atthe point of time at which the tree change notification is received, thekey distribution center (KDC) may renew the EKB and the EKB typedefinition list in accordance with the tree change notification, and maytransmit the renewed EKB type definition list to the EKB requesters andTLCE's.

Revocation (2)

A revocation process is now described which may occur in a situation inwhich various contents are encrypted and stored by a user into arecording device or a storage medium in which an EKB is stored, whereina root key extracted from the EKB stored in the recording device or thestorage medium is used as a key needed in encryption and decryption.This type of recording device or storage medium is said to be of aself-recording type.

Referring to FIG. 64, an EKB 7000 is assumed to be used in common by acategory tree A (7100) and a category tree B (7200). That is, the EKBfor common use is stored in recording devices or the storage media usedin common in the category tree A (8100) and the category tree B (8200),and users record and play back content by means of encryption anddecryption using the EKB. The EKB 8000 used in common by the categorytree A (8100) and the category tree B (8200) is assigned an EKB typeidentification number #1 in the EKB type definition list.

In this situation, if breakage of secrecy of key data or anotherunauthorized state of a device A1 (8120) belonging to the category treeA (8100) is detected, the device A1 (8120) is revoked.

To perform revocation, the TLCE of the category tree A (8100) firstissues a tree change notification (FIG. 53) to the key distributioncenter (KDC). In accordance with the received tree change notification,the key distribution center (KDC) sends a notification to the TLCE'smanaged by the key distribution center (KDC) and to associated EKBrequesters. The notification includes only information indicating thatthe tree change notification has been received, and renewal of the EKBtype definition list is not performed at this point of time.

In order to prevent contents from being further used by the revokeddevice A1 (8120), the TLCE of the category tree in which revocation hasoccurred requests the key distribution center (KDC) to produce an EKBrenewed such that only devices other than the revoked device can processthe EKB. In this situation, this TLCE behaves as an EKB requester. Inthis specific case, the TLCE behaving as the EKB requester in such asituation specifies the EKB type identification number #1 indicating theEKB type that is used in common by the category tree A (8100) and thecategory tree B (8200). Thereafter, the EKB requester produces a newroot key and sends it to the KDC, or alternatively, the EKB requesterrequests the KDC to produce a new root key.

In accordance with the specified EKB type identification number #1, thekey distribution center (KDC) searches the EKB type definition list todetect nodes of relating category trees and requests TLCE's of categorytrees A (8100) and B (8200) corresponding to the detected nodes toproduce a sub-EKB from which authorized devices can extract a new rootkey.

In response to the request, each of the TLCE's of the category trees A(8100) and B (8200) produces a sub-EKB. In this specific case, in thecategory tree A (8100), a sub-EKB-(A) is produced such that only devicesother than the revoked device A1 (8120) can extract a new root key fromthe sub-EKB-(A). In the category tree B (8200), if there is no revokeddevice, a sub-EKB-(B) is produced such that all devices belonging to thecategory B (8200) can extract a new root key from the sub-EKB-(B), andthe resultant sub-EKB-(B) is transmitted to the key distribution center(KDC).

The key distribution center (KDC) produces a combined EKB from thesub-EKB's received from the respective TLCE's in the above-describedmanner, and transmits the resultant EKB to the respective TLCE's (formatholders).

Each TLCE (format holder) sends the new EKB received from the keydistribution center (KDC) to devices to update the EKB stored in thedevices. The devices belonging to the category tree A (8100) and thedevices belonging to the category tree B (8200) can record new contentinto the devices using, in the encryption/decryption process, the rootkey extracted from the updated EKB. The recorded content encrypted usingthe new EKB can be decrypted only when the corresponding EKB is applied,and thus the revoked device cannot use the content.

The present invention has been described in detail above with referenceto particular embodiments. It will be apparent to those skilled in theart that various modifications and substitution to those embodiments maybe made in the embodiment chosen for illustration without departing fromthe spirit and scope of the invention. That is, the embodiments havebeen described above by way of example and not limitation. The scope ofthe invention is to be determined solely by the appended claims.

In the information processing system and method according to the presentinvention, as described above, a key tree is produced so as to include aplurality of subtrees serving as category trees that are grouped inaccordance with categories and managed by category entities. An enablingkey block (EKB) is produced so as to include data produced by selectinga path in the key tree and encrypting an upper-level key in the selectedpath using a lower-level key in the selected path. The resultantenabling key block (EKB) is provided to a device, wherein issuing ofEKBs is managed on the basis of the an EKB type definition listrepresenting the correspondence between an EKB type identifier and oneor more identification data identifying one or more category trees thatcan process an EKB of an EKB type identified by the EKB type identifier.This makes it possible for an EKB requester, which issues an EKBproduction request, to easily select a category to which the EKB is tobe applied.

Furthermore, in the information processing system and method accordingto the present invention, a notification of a change in state of acategory tree capable of processing an EKB identified in the EKB typedefinition list is sent to an entity that uses the EKB, thereby makingit possible to use newest EKB type definition information in processing.

1. An information processing system, comprising: a plurality of categoryentities; a key tree including a plurality of leaves, a root, aplurality of nodes existing in paths from the plurality of leaves to theroot, and a plurality of subtrees serving as category trees grouped inaccordance with categories and managed by the plurality of categoryentities; a plurality of devices assigned to at least some of theleaves; a plurality of keys assigned to the root, to at least some ofthe leaves and to at least some of the nodes; an enabling key block(EKB) including encrypted data, the encrypted data being produced byselecting one of the paths in the key tree and encrypting an upper-levelkey in the selected path using a lower-level key in the selected pathsuch that the encrypted data can be decrypted only by a selected one ofthe plurality of devices which can use a node key set corresponding tothe selected path, the EKB being provided to the selected device andbeing capable of being decrypted in common in at least one of thecategory trees; and a key distribution center (KDC) adapted to produceand issue the EKB, the KDC having an EKB type definition listrepresenting a correspondence between an EKB type identifier andidentification data for identifying at least one of the category treesthat can process EKB having a particular EKB type identified by the EKBtype identifier; wherein the KDC is operable to send a notification of achange in state of a selected one of the category trees which is capableof processing the particular EKB to a selected one of the categoryentities that uses the particular EKB.
 2. An information processingsystem according to claim 1, wherein the change in state arises from arevocation of one of the devices in the selected category tree.
 3. Aninformation processing system according to claim 1, wherein the changein state arises from a change of a key stored in a specific one of theplurality of devices that belongs to the selected category tree.
 4. Aninformation processing system according to claim 1, wherein the selectedcategory entity includes an EKB requester that issues an EKB productionrequest to the KDC.
 5. An information processing system according toclaim 1, wherein the selected category entity manages one of thecategory trees that is capable of processing the particular EKB.
 6. Aninformation processing system according to claim 1, wherein the KDC isadapted to send the notification of the change in state to all of thecategory entities that issue an EKB production request to the KDC orthat manage one of the category trees.
 7. An information processingsystem according to claim 1, wherein the KDC is adapted to receive statechange information indicating a change in state of a specific one of thecategory trees from a specific one of the category entities that managesthe specific category tree, to produces the notification of the changein state in accordance with the state change information, and to sendthe notification.
 8. An information processing method for use in asystem having a key tree including a plurality of leaves, a root, and aplurality of nodes existing in paths from the plurality of leaves to theroot, the method comprising: assigning a plurality of devices to atleast some of the leaves; assigning a plurality of keys to the root, toat least some of the leaves, and to at least some of the nodes;producing an enabling key block (EKB), the EKB including encrypted dataproduced by selecting one of the paths in the key tree and encrypting anupper-level key in the selected path using a lower-level key in theselected path such that the encrypted data can be decrypted only by aselected one of the plurality of devices which can use a node key setcorresponding to the selected path; providing the EKB to the selecteddevice; generating an EKB type definition list representing acorrespondence between an EKB type identifier and identification data;and sending a notification from a key distribution center (KDC) of achange in state of a selected one of a plurality of category trees to anentity that uses the EKB, the selected category tree being capable ofprocessing the EKB based upon the EKB type definition list.
 9. Aninformation processing method according to claim 8, wherein the changein state arises from a revocation of one of the devices in the selectedcategory tree.
 10. An information processing method according to claim8, wherein the change in state arises from a change of a key stored in aspecific one of the plurality of devices which belongs to the selectedcategory tree.
 11. An information processing method according to claim8, wherein the entity includes an EKB requester that issues an EKBproduction request to the KDC.
 12. An information processing methodaccording to claim 8, wherein the entity includes a selected categoryentity that manages the selected category tree capable of processing theEKB defined in the EKB type definition list.
 13. An informationprocessing method according to claim 8, wherein the entity comprises aplurality of entities and the KDC sends the notification of the changein state to all of the entities that issue an EKB production request tothe KDC or that manage one of the category trees.
 14. An informationprocessing method according to claim 8, further comprising: receivingstate change information indicating a change in state of a specific oneof the category trees from a category entity that manages the specificcategory tree; and producing the notification of the change in state inaccordance with the state change information.
 15. A recording mediumrecorded with a computer program for executing an information processingmethod in an information processing system having a key tree thatincludes a plurality of leaves, a root, and a plurality of nodesexisting in paths from the plurality of leaves to the root, theinformation processing method comprising: receiving state changeinformation indicating a change in state of a category tree from acategory entity that manages the category tree; producing a notificationof the change in state in accordance with the state change informationreceived from the category entity; and sending the notification to anentity that uses an enabling key block (EKB) that is capable of beingprocessed in the category tree.
 16. An information processing method foruse in an information processing system having a key tree that includesa plurality of leaves, a root, and a plurality of nodes existing inpaths from the plurality of leaves to the root, the informationprocessing method comprising: receiving state change informationindicating a change in state of a category tree from a category entitythat manages the category tree; producing a notification of the changein state in accordance with the state change information received fromthe category entity; and sending the notification to an entity that usesan enabling key block that is capable of being processed in the categorytree.
 17. A recording medium recorded with a computer program forexecuting an information processing method in an information processingsystem having a key tree that includes a plurality of leaves, a root,and a plurality of nodes existing in paths from the plurality of leavesto the root, the information processing method comprising: assigning aplurality of devices to at least some of the leaves; assigning aplurality of keys to the root, to at least some of the leaves, and to atleast some of the nodes; producing an enabling key block (EKB), the EKBincluding encrypted data produced by selecting one of the paths in thekey tree and encrypting an upper-level key in the selected path using alower-level key in the selected path such that the encrypted data can bedecrypted only by a selected one of the plurality of devices which canuse a node key set corresponding to the selected path; providing the EKBto the selected device; generating an EKB type definition listrepresenting a correspondence between an EKB type identifier andidentification data; and sending a notification from a key distributioncenter (KDC) of a change in state of a selected one of a plurality ofcategory trees to our entity that uses the EKB, the selected categorytree being capable of processing the EKB based upon the EKB typedefinition list.